# Flog Txt Version 1 # Analyzer Version: 4.4.0 # Analyzer Build Date: Dec 8 2021 20:04:45 # Log Creation Date: 27.12.2021 17:14:14.101 Process: id = "1" image_name = "avaddon_09_06_2020_1054kb.exe" filename = "c:\\users\\keecfmwgj\\desktop\\avaddon_09_06_2020_1054kb.exe" page_root = "0x44774000" os_pid = "0xae4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x390" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\Avaddon_09_06_2020_1054KB.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 112 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 113 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 114 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 115 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 116 start_va = 0xb0000 end_va = 0xeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 117 start_va = 0x2b0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 118 start_va = 0x1160000 end_va = 0x1269fff monitored = 1 entry_point = 0x11a81c7 region_type = mapped_file name = "avaddon_09_06_2020_1054kb.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\Avaddon_09_06_2020_1054KB.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\avaddon_09_06_2020_1054kb.exe") Region: id = 119 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 120 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 121 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 122 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 123 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 124 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 125 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 126 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 127 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 266 start_va = 0x1b0000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 267 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 268 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 269 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 270 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 271 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 272 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 273 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 274 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 275 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 276 start_va = 0x3b0000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 277 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 278 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 279 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 280 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 281 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 282 start_va = 0xf0000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 283 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 284 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 285 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 286 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 287 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 288 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 289 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 290 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 291 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 292 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 293 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 294 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 295 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 296 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 297 start_va = 0x753f0000 end_va = 0x75401fff monitored = 0 entry_point = 0x753f1200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 298 start_va = 0x753d0000 end_va = 0x753e0fff monitored = 0 entry_point = 0x753d1300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 299 start_va = 0x753c0000 end_va = 0x753c8fff monitored = 0 entry_point = 0x753c15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 300 start_va = 0x753a0000 end_va = 0x753b8fff monitored = 0 entry_point = 0x753a1319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 301 start_va = 0x75390000 end_va = 0x7539efff monitored = 0 entry_point = 0x753912a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 302 start_va = 0x74540000 end_va = 0x7455bfff monitored = 0 entry_point = 0x7454a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 303 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 304 start_va = 0x74530000 end_va = 0x74536fff monitored = 0 entry_point = 0x7453128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 305 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 306 start_va = 0x75360000 end_va = 0x75387fff monitored = 0 entry_point = 0x7537d352 region_type = mapped_file name = "rstrtmgr.dll" filename = "\\Windows\\SysWOW64\\RstrtMgr.dll" (normalized: "c:\\windows\\syswow64\\rstrtmgr.dll") Region: id = 307 start_va = 0x75320000 end_va = 0x75357fff monitored = 0 entry_point = 0x75321489 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll") Region: id = 308 start_va = 0x75300000 end_va = 0x75316fff monitored = 0 entry_point = 0x753035fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 309 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 310 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 311 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 312 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 313 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 314 start_va = 0x570000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 315 start_va = 0x570000 end_va = 0x6f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 316 start_va = 0x720000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 317 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 318 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 319 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 320 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 321 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 322 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 323 start_va = 0x730000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 324 start_va = 0x1270000 end_va = 0x266ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 325 start_va = 0x73550000 end_va = 0x73552fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 326 start_va = 0x742b0000 end_va = 0x742c6fff monitored = 0 entry_point = 0x742b3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 327 start_va = 0x60000 end_va = 0x9bfff monitored = 0 entry_point = 0x6128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 328 start_va = 0x60000 end_va = 0x9bfff monitored = 0 entry_point = 0x6128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 329 start_va = 0x60000 end_va = 0x9bfff monitored = 0 entry_point = 0x6128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 330 start_va = 0x60000 end_va = 0x9bfff monitored = 0 entry_point = 0x6128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 331 start_va = 0x60000 end_va = 0x9bfff monitored = 0 entry_point = 0x6128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 332 start_va = 0x74270000 end_va = 0x742aafff monitored = 0 entry_point = 0x7427128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 333 start_va = 0x8c0000 end_va = 0xb8efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 334 start_va = 0x72c70000 end_va = 0x72c86fff monitored = 0 entry_point = 0x72c71c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 335 start_va = 0x745e0000 end_va = 0x745eafff monitored = 0 entry_point = 0x745e1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 336 start_va = 0x60000 end_va = 0x61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 337 start_va = 0x270000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 338 start_va = 0xd70000 end_va = 0xe6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 339 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 340 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 341 start_va = 0x70000 end_va = 0x70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 342 start_va = 0x80000 end_va = 0x81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 343 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 344 start_va = 0x90000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 345 start_va = 0xa0000 end_va = 0xa7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 346 start_va = 0x160000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 347 start_va = 0x74560000 end_va = 0x745a3fff monitored = 0 entry_point = 0x745763f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 348 start_va = 0xb90000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 349 start_va = 0x77230000 end_va = 0x77232fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\SysWOW64\\normaliz.dll" (normalized: "c:\\windows\\syswow64\\normaliz.dll") Region: id = 350 start_va = 0xd30000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 351 start_va = 0xe90000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 352 start_va = 0x76b60000 end_va = 0x76b8efff monitored = 0 entry_point = 0x76b62a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 353 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 354 start_va = 0x72c30000 end_va = 0x72c6efff monitored = 0 entry_point = 0x72c32351 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll") Region: id = 355 start_va = 0xbe0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 356 start_va = 0xc40000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 357 start_va = 0x26d0000 end_va = 0x27cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 358 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 359 start_va = 0x74360000 end_va = 0x743b1fff monitored = 0 entry_point = 0x743614be region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll") Region: id = 360 start_va = 0x74340000 end_va = 0x74354fff monitored = 0 entry_point = 0x743412de region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll") Region: id = 361 start_va = 0x74330000 end_va = 0x7433cfff monitored = 0 entry_point = 0x74331326 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll") Region: id = 362 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 363 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 364 start_va = 0x74320000 end_va = 0x74325fff monitored = 0 entry_point = 0x7432125a region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\SysWOW64\\SensApi.dll" (normalized: "c:\\windows\\syswow64\\sensapi.dll") Region: id = 365 start_va = 0x3e0000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 366 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 367 start_va = 0xf90000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 368 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 369 start_va = 0x2680000 end_va = 0x26bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002680000" filename = "" Region: id = 370 start_va = 0x2810000 end_va = 0x290ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 371 start_va = 0x74310000 end_va = 0x7431ffff monitored = 0 entry_point = 0x743138c1 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 372 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 373 start_va = 0x2910000 end_va = 0x29effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 374 start_va = 0x29f0000 end_va = 0x2bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 375 start_va = 0x29f0000 end_va = 0x2b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 376 start_va = 0x2bb0000 end_va = 0x2bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 377 start_va = 0x744b0000 end_va = 0x744b5fff monitored = 0 entry_point = 0x744b14b2 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 378 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 379 start_va = 0x29f0000 end_va = 0x2aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 380 start_va = 0x745b0000 end_va = 0x745d0fff monitored = 0 entry_point = 0x745b145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 381 start_va = 0x772d0000 end_va = 0x77314fff monitored = 0 entry_point = 0x772d11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 382 start_va = 0x74520000 end_va = 0x74528fff monitored = 0 entry_point = 0x74521220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 383 start_va = 0x190000 end_va = 0x197fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "urlmon.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\urlmon.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\urlmon.dll.mui") Region: id = 384 start_va = 0x744e0000 end_va = 0x7451bfff monitored = 0 entry_point = 0x744e145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 385 start_va = 0x2bc0000 end_va = 0x2d1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 386 start_va = 0x744d0000 end_va = 0x744d4fff monitored = 0 entry_point = 0x744d15df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 387 start_va = 0x744c0000 end_va = 0x744c5fff monitored = 0 entry_point = 0x744c1673 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll") Region: id = 388 start_va = 0x74470000 end_va = 0x744a7fff monitored = 0 entry_point = 0x7447990e region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 389 start_va = 0x2d20000 end_va = 0x2e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 390 start_va = 0x2930000 end_va = 0x296ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 391 start_va = 0x29e0000 end_va = 0x29effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 392 start_va = 0x2fe0000 end_va = 0x30dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 393 start_va = 0x72c20000 end_va = 0x72c27fff monitored = 0 entry_point = 0x72c234d3 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\SysWOW64\\credssp.dll" (normalized: "c:\\windows\\syswow64\\credssp.dll") Region: id = 394 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 395 start_va = 0x72c10000 end_va = 0x72c17fff monitored = 0 entry_point = 0x72c110e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 396 start_va = 0x72bd0000 end_va = 0x72c0cfff monitored = 0 entry_point = 0x72bd10f5 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 397 start_va = 0x2bc0000 end_va = 0x2cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 398 start_va = 0x2ce0000 end_va = 0x2d1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 399 start_va = 0x72bb0000 end_va = 0x72bc5fff monitored = 0 entry_point = 0x72bb2061 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll") Region: id = 767 start_va = 0x1a0000 end_va = 0x1a9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 1206 start_va = 0x30e0000 end_va = 0x32dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 1207 start_va = 0x230000 end_va = 0x230fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1208 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1209 start_va = 0x240000 end_va = 0x240fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1210 start_va = 0x72b30000 end_va = 0x72bacfff monitored = 0 entry_point = 0x72b3166a region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll") Region: id = 1211 start_va = 0x250000 end_va = 0x250fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1212 start_va = 0x260000 end_va = 0x266fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1213 start_va = 0x250000 end_va = 0x250fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1214 start_va = 0x260000 end_va = 0x266fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1215 start_va = 0x741c0000 end_va = 0x741eefff monitored = 0 entry_point = 0x741c1142 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 1218 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1219 start_va = 0x250000 end_va = 0x263fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1220 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1221 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1222 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1223 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1224 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1225 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1226 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1227 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1228 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1229 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1230 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1231 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1232 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1233 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1234 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1235 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1236 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1237 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1238 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1239 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1240 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1241 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1242 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1243 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1244 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1245 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1246 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1247 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1248 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1249 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1250 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1251 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1252 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1253 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1254 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1255 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1256 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1257 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1258 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1259 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1260 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1261 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1262 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1263 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1264 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1265 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1266 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1267 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1268 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1269 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1270 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1271 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1272 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1273 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1274 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1275 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1276 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1277 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1278 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1279 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1280 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1281 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1282 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1283 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1284 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1285 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1286 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1287 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1288 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1289 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1290 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1291 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1292 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1293 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1294 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1295 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1296 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1297 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1298 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1299 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1300 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1301 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1302 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1303 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1304 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1305 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1306 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1307 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1308 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1309 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1310 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1311 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1312 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1313 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1314 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1315 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1316 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1317 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1318 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1319 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1320 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1321 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1322 start_va = 0x250000 end_va = 0x263fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1323 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1324 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1325 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1326 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1327 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1328 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1329 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1330 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1331 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1332 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1333 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1334 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1335 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1336 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1337 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1338 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1339 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1340 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1341 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1342 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1343 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1344 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1345 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1346 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1347 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1348 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1349 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1350 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1351 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1352 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1353 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1354 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1355 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1356 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1357 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1358 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1359 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1360 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1361 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1362 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1363 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1364 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1365 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1366 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1367 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1368 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1369 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1370 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1371 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1372 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1373 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1374 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1375 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1376 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1377 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1378 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1379 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1380 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1381 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1382 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1383 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1384 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1385 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1386 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1387 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1388 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1389 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1390 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1391 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1392 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1393 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1394 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1395 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1396 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1397 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1398 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1399 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1400 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1401 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1402 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1403 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1404 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1405 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1406 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1407 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1408 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1409 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1410 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1411 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1412 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1413 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1414 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1415 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1416 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1417 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1418 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1419 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1420 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1421 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1422 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1423 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1424 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1425 start_va = 0x250000 end_va = 0x263fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1426 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1427 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1428 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1429 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1430 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1431 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1432 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1433 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1434 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1435 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1436 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1437 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1438 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1439 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1440 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1441 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1442 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1443 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1444 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1445 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1446 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1447 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1448 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1449 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1450 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1451 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1452 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1453 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1454 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1455 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1456 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1457 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1458 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1459 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1460 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1461 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1462 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1463 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1464 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1465 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1466 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1467 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1468 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1469 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1470 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1471 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1472 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1473 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1474 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1475 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1476 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1477 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1478 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1479 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1480 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1481 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1482 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1483 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1484 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1485 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1486 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1487 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1488 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1489 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1490 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1491 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1492 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1493 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1494 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1495 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1496 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1497 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1498 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1499 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1500 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1501 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1502 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1503 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1504 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1505 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1506 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1507 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1508 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1509 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1510 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1511 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1512 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1513 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1514 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1515 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1516 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1517 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1518 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1519 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1520 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1521 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1522 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1523 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1524 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1525 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1526 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1527 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1528 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1529 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1530 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1531 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1532 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1533 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1534 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1535 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1536 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1537 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1538 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1539 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1540 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1541 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1542 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1543 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1544 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1545 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1546 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1547 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1548 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1549 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1550 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1551 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1552 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1553 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1554 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1555 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1556 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1557 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1558 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1559 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1560 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1561 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1562 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1563 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1564 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1565 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1566 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1567 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1568 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1569 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1570 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1571 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1572 start_va = 0x250000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1573 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1574 start_va = 0x230000 end_va = 0x23dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 2450 start_va = 0x743f0000 end_va = 0x7446ffff monitored = 0 entry_point = 0x744037c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2451 start_va = 0x420000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 2452 start_va = 0x2d20000 end_va = 0x2dfefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d20000" filename = "" Region: id = 2453 start_va = 0x2e60000 end_va = 0x2e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 2454 start_va = 0x230000 end_va = 0x231fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 2455 start_va = 0x250000 end_va = 0x250fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 2456 start_va = 0x77030000 end_va = 0x771ccfff monitored = 0 entry_point = 0x770317e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 2457 start_va = 0x77580000 end_va = 0x775a6fff monitored = 0 entry_point = 0x775858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2458 start_va = 0x76bf0000 end_va = 0x76c01fff monitored = 0 entry_point = 0x76bf1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 2459 start_va = 0x260000 end_va = 0x26cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 2460 start_va = 0xcc0000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 2461 start_va = 0x3410000 end_va = 0x350ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 2462 start_va = 0x740a0000 end_va = 0x74194fff monitored = 0 entry_point = 0x740b0d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 2463 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 2464 start_va = 0x3b0000 end_va = 0x3b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 2465 start_va = 0x3c0000 end_va = 0x3d6fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 2466 start_va = 0x460000 end_va = 0x460fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 2547 start_va = 0x72ba0000 end_va = 0x72baffff monitored = 0 entry_point = 0x72ba1526 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\SysWOW64\\NapiNSP.dll" (normalized: "c:\\windows\\syswow64\\napinsp.dll") Region: id = 2548 start_va = 0x72b80000 end_va = 0x72b91fff monitored = 0 entry_point = 0x72b818f2 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\SysWOW64\\pnrpnsp.dll" (normalized: "c:\\windows\\syswow64\\pnrpnsp.dll") Region: id = 2549 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2550 start_va = 0x72b70000 end_va = 0x72b77fff monitored = 0 entry_point = 0x72b7131e region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\SysWOW64\\winrnr.dll" (normalized: "c:\\windows\\syswow64\\winrnr.dll") Region: id = 2551 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2552 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2553 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2554 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2555 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2556 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2557 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2558 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2559 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2560 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2561 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2562 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2563 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2564 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2565 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2566 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2567 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2568 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2569 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2570 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2571 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2572 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2573 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2574 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2575 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2576 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2577 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2578 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2579 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2580 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2581 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2582 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2583 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2584 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2585 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2586 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2587 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2588 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2589 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2590 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2591 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2592 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2593 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2594 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2595 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2596 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2597 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2610 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2630 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2631 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2640 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2650 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2651 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2663 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2666 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2673 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2674 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2682 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2683 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2684 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2688 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2693 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2694 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2695 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2696 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2697 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2698 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2699 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2700 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2701 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2702 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2703 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2704 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2705 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2706 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2707 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2708 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2709 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2710 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2711 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2712 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2713 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2714 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2715 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2823 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2824 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2825 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2826 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2827 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2828 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2829 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2830 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2831 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2832 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2833 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2834 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2835 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2836 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2837 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2838 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2839 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2840 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2841 start_va = 0x2ea0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2874 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2897 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2912 start_va = 0x1090000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Thread: id = 1 os_tid = 0xae8 [0077.340] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af9ec | out: lpSystemTimeAsFileTime=0x3af9ec*(dwLowDateTime=0x4e4c7620, dwHighDateTime=0x1d7fb45)) [0077.340] GetCurrentThreadId () returned 0xae8 [0077.340] GetCurrentProcessId () returned 0xae4 [0077.340] QueryPerformanceCounter (in: lpPerformanceCount=0x3af9e4 | out: lpPerformanceCount=0x3af9e4*=1562073651499) returned 1 [0077.433] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0077.433] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x73550000 [0077.441] GetProcAddress (hModule=0x73550000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0077.441] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0077.441] GetLastError () returned 0x7e [0077.442] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x769b0000 [0077.442] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0077.442] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0077.442] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x73550000 [0077.442] GetProcAddress (hModule=0x73550000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0077.443] GetProcessHeap () returned 0x470000 [0077.443] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0077.443] GetLastError () returned 0x7e [0077.443] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x769b0000 [0077.443] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0077.444] GetLastError () returned 0x7e [0077.444] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0077.444] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0077.444] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x364) returned 0x48f7f8 [0077.444] SetLastError (dwErrCode=0x7e) [0077.444] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe00) returned 0x48fb68 [0077.447] GetStartupInfoW (in: lpStartupInfo=0x3af924 | out: lpStartupInfo=0x3af924*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\Avaddon_09_06_2020_1054KB.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x11be660, hStdOutput=0xfc5c49ed, hStdError=0xfffffffe)) [0077.447] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0077.447] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0077.447] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0077.447] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\Avaddon_09_06_2020_1054KB.exe\" " [0077.447] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\Avaddon_09_06_2020_1054KB.exe\" " [0077.447] GetACP () returned 0x4e4 [0077.447] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x220) returned 0x48ece0 [0077.447] IsValidCodePage (CodePage=0x4e4) returned 1 [0077.447] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x3af944 | out: lpCPInfo=0x3af944) returned 1 [0077.447] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x3af20c | out: lpCPInfo=0x3af20c) returned 1 [0077.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3af820, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0077.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3af820, cbMultiByte=256, lpWideCharStr=0x3aefa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0077.447] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x3af220 | out: lpCharType=0x3af220) returned 1 [0077.448] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3af820, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0077.448] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3af820, cbMultiByte=256, lpWideCharStr=0x3aef68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0077.448] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0077.448] GetLastError () returned 0x7e [0077.448] GetProcAddress (hModule=0x769b0000, lpProcName="LCMapStringEx") returned 0x76a44d91 [0077.448] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0077.448] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x3aed58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0077.448] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x3af720, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿùÕCý\\ù:", lpUsedDefaultChar=0x0) returned 256 [0077.448] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3af820, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0077.449] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3af820, cbMultiByte=256, lpWideCharStr=0x3aef78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0077.449] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0077.449] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x3aed68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0077.449] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x3af620, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿùÕCý\\ù:", lpUsedDefaultChar=0x0) returned 256 [0077.449] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x481c68 [0077.449] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1260320, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\Avaddon_09_06_2020_1054KB.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\avaddon_09_06_2020_1054kb.exe")) returned 0x38 [0077.449] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x7a) returned 0x491170 [0077.449] RtlInitializeSListHead (in: ListHead=0x125ffb8 | out: ListHead=0x125ffb8) [0077.449] GetLastError () returned 0x0 [0077.449] SetLastError (dwErrCode=0x0) [0077.449] GetEnvironmentStringsW () returned 0x4911f8* [0077.449] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xb0e) returned 0x491d10 [0077.450] FreeEnvironmentStringsW (penv=0x4911f8) returned 1 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x98) returned 0x492828 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3e) returned 0x4824d0 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x56) returned 0x48ef08 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x6e) returned 0x4928c8 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x78) returned 0x47fd90 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x62) returned 0x492940 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x30) returned 0x48c8a8 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x48) returned 0x4884e0 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x28) returned 0x48c298 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x490d48 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x34) returned 0x4929b0 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x5c) returned 0x4929f0 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x32) returned 0x492a58 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2e) returned 0x48c8e0 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1c) returned 0x490d70 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12a) returned 0x492a98 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x7c) returned 0x492bd0 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x36) returned 0x492c58 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3a) returned 0x482518 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x90) returned 0x492c98 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x24) returned 0x48c2c8 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x30) returned 0x48c918 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x36) returned 0x492d30 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x48) returned 0x488530 [0077.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x52) returned 0x492d70 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3c) returned 0x482560 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xd6) returned 0x492dd0 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2e) returned 0x48c950 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1e) returned 0x490d98 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2c) returned 0x48c988 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x54) returned 0x492eb0 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x52) returned 0x492f10 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2c) returned 0x48c9c0 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x26) returned 0x48c2f8 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3e) returned 0x4825a8 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x24) returned 0x48c328 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x30) returned 0x48c9f8 [0077.451] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8c) returned 0x4911f8 [0077.452] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x491d10 | out: hHeap=0x470000) returned 1 [0077.452] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0077.452] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0077.452] GetProcAddress (hModule=0x769b0000, lpProcName="FlsFree") returned 0x769c354f [0077.452] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0077.452] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0077.452] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSectionEx") returned 0x769c4ce0 [0077.453] GetProcAddress (hModule=0x769b0000, lpProcName="InitOnceExecuteOnce") returned 0x769dd5f7 [0077.453] GetProcAddress (hModule=0x769b0000, lpProcName="CreateEventExW") returned 0x76a446ab [0077.453] GetProcAddress (hModule=0x769b0000, lpProcName="CreateSemaphoreW") returned 0x769dca32 [0077.453] GetProcAddress (hModule=0x769b0000, lpProcName="CreateSemaphoreExW") returned 0x76a44735 [0077.453] GetProcAddress (hModule=0x769b0000, lpProcName="CreateThreadpoolTimer") returned 0x769dee4e [0077.453] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadpoolTimer") returned 0x77a2441c [0077.453] GetProcAddress (hModule=0x769b0000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x77a4c50e [0077.453] GetProcAddress (hModule=0x769b0000, lpProcName="CloseThreadpoolTimer") returned 0x77a4c381 [0077.454] GetProcAddress (hModule=0x769b0000, lpProcName="CreateThreadpoolWait") returned 0x769df058 [0077.454] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadpoolWait") returned 0x77a305d7 [0077.454] GetProcAddress (hModule=0x769b0000, lpProcName="CloseThreadpoolWait") returned 0x77a4ca24 [0077.454] GetProcAddress (hModule=0x769b0000, lpProcName="FlushProcessWriteBuffers") returned 0x77a00b8c [0077.454] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77abfde8 [0077.454] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcessorNumber") returned 0x77a51e1d [0077.454] GetProcAddress (hModule=0x769b0000, lpProcName="CreateSymbolicLinkW") returned 0x76a3d181 [0077.454] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentPackageId") returned 0x0 [0077.455] GetProcAddress (hModule=0x769b0000, lpProcName="GetTickCount64") returned 0x769deeb0 [0077.455] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileInformationByHandleEx") returned 0x769dc767 [0077.455] GetProcAddress (hModule=0x769b0000, lpProcName="SetFileInformationByHandle") returned 0x769ecbec [0077.455] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0077.455] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeConditionVariable") returned 0x77a18456 [0077.455] GetProcAddress (hModule=0x769b0000, lpProcName="WakeConditionVariable") returned 0x77a87de4 [0077.455] GetProcAddress (hModule=0x769b0000, lpProcName="WakeAllConditionVariable") returned 0x77a4409d [0077.456] GetProcAddress (hModule=0x769b0000, lpProcName="SleepConditionVariableCS") returned 0x76a450d2 [0077.456] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeSRWLock") returned 0x77a18456 [0077.456] GetProcAddress (hModule=0x769b0000, lpProcName="AcquireSRWLockExclusive") returned 0x77a129f1 [0077.456] GetProcAddress (hModule=0x769b0000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77a24892 [0077.456] GetProcAddress (hModule=0x769b0000, lpProcName="ReleaseSRWLockExclusive") returned 0x77a129ab [0077.456] GetProcAddress (hModule=0x769b0000, lpProcName="SleepConditionVariableSRW") returned 0x76a45114 [0077.456] GetProcAddress (hModule=0x769b0000, lpProcName="CreateThreadpoolWork") returned 0x769dee15 [0077.456] GetProcAddress (hModule=0x769b0000, lpProcName="SubmitThreadpoolWork") returned 0x77a58491 [0077.457] GetProcAddress (hModule=0x769b0000, lpProcName="CloseThreadpoolWork") returned 0x77a4d8e2 [0077.457] GetProcAddress (hModule=0x769b0000, lpProcName="CompareStringEx") returned 0x76a44c51 [0077.457] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoEx") returned 0x76a44cf1 [0077.457] GetProcAddress (hModule=0x769b0000, lpProcName="LCMapStringEx") returned 0x76a44d91 [0077.457] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x73550000 [0077.457] GetProcAddress (hModule=0x73550000, lpProcName="SleepConditionVariableCS") returned 0x76a450d2 [0077.457] GetProcAddress (hModule=0x73550000, lpProcName="WakeAllConditionVariable") returned 0x77a4409d [0077.458] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x800) returned 0x491290 [0077.458] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0077.458] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x11a85cf) returned 0x0 [0077.459] RtlInitializeConditionVariable () returned 0x125f72c [0077.459] RtlInitializeConditionVariable () returned 0x125f75c [0077.459] GetCurrentThread () returned 0xfffffffe [0077.459] GetThreadTimes (in: hThread=0xfffffffe, lpCreationTime=0x3af998, lpExitTime=0x3af9a0, lpKernelTime=0x3af9a0, lpUserTime=0x3af9a0 | out: lpCreationTime=0x3af998, lpExitTime=0x3af9a0, lpKernelTime=0x3af9a0, lpUserTime=0x3af9a0) returned 1 [0077.459] RtlInitializeSListHead (in: ListHead=0x1260060 | out: ListHead=0x1260060) [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x492f70 [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x491ee0 [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48ca30 [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4825f0 [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48ca68 [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x490fa0 [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x490fc8 [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x490ff0 [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x491018 [0077.460] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x491040 [0077.461] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x491068 [0077.461] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x491090 [0077.461] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4910b8 [0077.461] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4910e0 [0077.461] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x481c68) returned 0x80 [0077.461] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x481c68, Size=0x100) returned 0x491f38 [0077.461] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482638 [0077.461] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48caa0 [0077.461] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x481c68 [0077.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482680 [0077.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x492040 [0077.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4826c8 [0077.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cad8 [0077.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482710 [0077.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482758 [0077.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x491108 [0077.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x491130 [0077.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x492fe0 [0077.463] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x4920a8 [0077.463] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493008 [0077.463] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4827a0 [0077.463] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4827e8 [0077.463] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x492100 [0077.463] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482830 [0077.463] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482878 [0077.464] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493030 [0077.464] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x492158 [0077.464] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x4921b0 [0077.464] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cb10 [0077.464] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x491f38) returned 0x100 [0077.464] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x491f38, Size=0x200) returned 0x492208 [0077.464] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4828c0 [0077.464] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cb48 [0077.464] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493058 [0077.465] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493080 [0077.465] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4930a8 [0077.465] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4930d0 [0077.465] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4930f8 [0077.465] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493120 [0077.465] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493148 [0077.465] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493170 [0077.465] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493198 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482908 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cb80 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x491f38 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482950 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x491f90 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482998 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cbb8 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4829e0 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482a28 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4931c0 [0077.466] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4931e8 [0077.467] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493210 [0077.467] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x492410 [0077.467] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493238 [0077.467] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482a70 [0077.467] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482ab8 [0077.467] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x492468 [0077.467] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482b00 [0077.468] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482b48 [0077.474] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493260 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x4924c0 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x492518 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cbf0 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482b90 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cc28 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493288 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4932b0 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4932d8 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493300 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493328 [0077.475] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493350 [0077.476] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493378 [0077.476] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x492208) returned 0x200 [0077.476] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x492208, Size=0x400) returned 0x4937c8 [0077.476] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4933a0 [0077.476] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4933c8 [0077.476] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482bd8 [0077.476] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cc60 [0077.476] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x492208 [0077.476] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482c20 [0077.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x492260 [0077.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482c68 [0077.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cc98 [0077.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482cb0 [0077.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482cf8 [0077.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4933f0 [0077.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493418 [0077.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493440 [0077.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493be8 [0077.478] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493468 [0077.478] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482d40 [0077.478] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482d88 [0077.478] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493c40 [0077.478] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x482dd0 [0077.478] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494be8 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493490 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493c98 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493cf0 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48ccd0 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494c30 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cd08 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4934b8 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4934e0 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493508 [0077.479] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493530 [0077.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493558 [0077.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493580 [0077.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4935a8 [0077.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4935d0 [0077.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4935f8 [0077.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494c78 [0077.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cd40 [0077.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493d48 [0077.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494cc0 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x4922c8 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494d08 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cd78 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494d50 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494d98 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493620 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493648 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493670 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493da0 [0077.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493698 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494de0 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494e28 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493df8 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494e70 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494eb8 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4936c0 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493e50 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493ea8 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x48cdb0 [0077.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494f00 [0077.483] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495be8 [0077.483] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4936e8 [0077.483] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493710 [0077.483] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493738 [0077.483] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493760 [0077.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x493788 [0077.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4963e8 [0077.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496410 [0077.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496438 [0077.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496460 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494f48 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495c20 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493f00 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494f90 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x492330 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x494fd8 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495c58 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495020 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495068 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496488 [0077.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4964b0 [0077.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4964d8 [0077.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493f58 [0077.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496500 [0077.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4950b0 [0077.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4950f8 [0077.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x493fb0 [0077.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495140 [0077.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495188 [0077.486] RtlSizeHeap (HeapHandle=0x470000, Flags=0x0, MemoryPointer=0x4937c8) returned 0x400 [0077.486] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4937c8, Size=0x800) returned 0x496bd0 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496528 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494008 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494060 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495c90 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4951d0 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495cc8 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496550 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496578 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4965a0 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4965c8 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4965f0 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496618 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496640 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496668 [0077.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496690 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495218 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495d00 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x4940b8 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495260 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x492398 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4952a8 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495d38 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4952f0 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495338 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4966b8 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4966e0 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496708 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494110 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496730 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495380 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4953c8 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494168 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495410 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495458 [0077.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496758 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x4941c0 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494218 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495d70 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4954a0 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495da8 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496780 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4967a8 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4967d0 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4967f8 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496820 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496848 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496870 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496898 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4968c0 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4954e8 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495de0 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494270 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495530 [0077.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x492570 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495578 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495e18 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4955c0 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495608 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4968e8 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496910 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496938 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x4942c8 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496960 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495650 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495698 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494320 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4956e0 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495728 [0077.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496988 [0077.490] GetStartupInfoW (in: lpStartupInfo=0x3af988 | out: lpStartupInfo=0x3af988*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\Avaddon_09_06_2020_1054KB.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0077.490] GetProcAddress (hModule=0x769b0000, lpProcName="AreFileApisANSI") returned 0x76a44671 [0077.491] LoadLibraryExW (lpLibFileName="api-ms-win-core-string-l1-1-0", hFile=0x0, dwFlags=0x800) returned 0x76fe0000 [0077.491] GetProcAddress (hModule=0x76fe0000, lpProcName="CompareStringEx") returned 0x77016a72 [0077.491] GetProcAddress (hModule=0x769b0000, lpProcName="EnumSystemLocalesEx") returned 0x76a447ef [0077.491] LoadLibraryExW (lpLibFileName="api-ms-win-core-datetime-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0077.491] GetLastError () returned 0x7e [0077.491] GetProcAddress (hModule=0x769b0000, lpProcName="GetDateFormatEx") returned 0x76a56c26 [0077.491] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoEx") returned 0x76a44cf1 [0077.492] GetProcAddress (hModule=0x769b0000, lpProcName="GetTimeFormatEx") returned 0x76a56ba1 [0077.492] GetProcAddress (hModule=0x769b0000, lpProcName="GetUserDefaultLocaleName") returned 0x76a44d61 [0077.492] GetProcAddress (hModule=0x769b0000, lpProcName="IsValidLocaleName") returned 0x76a44d81 [0077.492] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-obsolete-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0077.492] GetLastError () returned 0x7e [0077.492] GetProcAddress (hModule=0x769b0000, lpProcName="LCIDToLocaleName") returned 0x769ecec4 [0077.492] GetProcAddress (hModule=0x769b0000, lpProcName="LocaleNameToLCID") returned 0x76a44da1 [0077.492] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x492400 [0077.492] GetLastError () returned 0x7e [0077.492] SetLastError (dwErrCode=0x7e) [0077.492] GetLastError () returned 0x7e [0077.492] SetLastError (dwErrCode=0x7e) [0077.493] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb8) returned 0x4925d8 [0077.493] GetLastError () returned 0x7e [0077.493] SetLastError (dwErrCode=0x7e) [0077.493] GetLastError () returned 0x7e [0077.493] SetLastError (dwErrCode=0x7e) [0077.493] GetUserDefaultLocaleName (in: lpLocaleName=0x3aefb4, cchLocaleName=85 | out: lpLocaleName="en-US") returned 6 [0077.496] GetACP () returned 0x4e4 [0077.496] IsValidCodePage (CodePage=0x4e4) returned 1 [0077.496] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1001, lpLCData=0x3af0d0, cchData=64 | out: lpLCData="English") returned 8 [0077.497] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1002, lpLCData=0x3af150, cchData=64 | out: lpLCData="United States") returned 14 [0077.497] GetLastError () returned 0x7e [0077.497] SetLastError (dwErrCode=0x7e) [0077.497] GetLastError () returned 0x7e [0077.497] SetLastError (dwErrCode=0x7e) [0077.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3a) returned 0x495770 [0077.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x483468 [0077.497] GetLastError () returned 0x7e [0077.497] SetLastError (dwErrCode=0x7e) [0077.497] GetLastError () returned 0x7e [0077.497] SetLastError (dwErrCode=0x7e) [0077.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3a) returned 0x4957b8 [0077.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x483480 [0077.497] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f6760, cbMultiByte=127, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 127 [0077.497] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x11f6760, cbMultiByte=127, lpWideCharStr=0x3aee68, cchWideChar=127 | out: lpWideCharStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f") returned 127 [0077.497] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f", cchSrc=127, lpCharType=0x3af0a0 | out: lpCharType=0x3af0a0) returned 1 [0077.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x481500 [0077.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x300) returned 0x4937c8 [0077.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x180) returned 0x492698 [0077.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x180) returned 0x4973d8 [0077.498] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x101) returned 0x497560 [0077.498] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x3aef98 | out: lpCPInfo=0x3aef98) returned 1 [0077.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x497561, cbMultiByte=255, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 255 [0077.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x497561, cbMultiByte=255, lpWideCharStr=0x3aecc8, cchWideChar=255 | out: lpWideCharStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 255 [0077.498] LCMapStringEx (in: lpLocaleName="en-US", dwMapFlags=0x100, lpSrcStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=255, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 255 [0077.498] LCMapStringEx (in: lpLocaleName="en-US", dwMapFlags=0x100, lpSrcStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=255, lpDestStr=0x3aeab8, cchDest=255, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 255 [0077.498] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchWideChar=255, lpMultiByteStr=0x492719, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿg", lpUsedDefaultChar=0x0) returned 255 [0077.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x497561, cbMultiByte=255, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 255 [0077.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x497561, cbMultiByte=255, lpWideCharStr=0x3aecc8, cchWideChar=255 | out: lpWideCharStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 255 [0077.498] LCMapStringEx (in: lpLocaleName="en-US", dwMapFlags=0x200, lpSrcStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=255, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 255 [0077.498] LCMapStringEx (in: lpLocaleName="en-US", dwMapFlags=0x200, lpSrcStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=255, lpDestStr=0x3aeab8, cchDest=255, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ") returned 255 [0077.498] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ", cchWideChar=255, lpMultiByteStr=0x497459, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fÿ\x99?Fåä", lpUsedDefaultChar=0x0) returned 255 [0077.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x497560, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0077.498] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x497560, cbMultiByte=256, lpWideCharStr=0x3aecf8, cchWideChar=256 | out: lpWideCharStr="") returned 256 [0077.498] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=256, lpCharType=0x4938c8 | out: lpCharType=0x4938c8) returned 1 [0077.499] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x497560 | out: hHeap=0x470000) returned 1 [0077.499] GetLastError () returned 0x7e [0077.499] SetLastError (dwErrCode=0x7e) [0077.499] GetLastError () returned 0x7e [0077.499] SetLastError (dwErrCode=0x7e) [0077.499] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3a) returned 0x495800 [0077.499] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x483498 [0077.499] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x50) returned 0x494378 [0077.499] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x48ef68 [0077.499] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x481cc0 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x15, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x15, lpLCData=0x3aee88, cchData=4 | out: lpLCData="USD") returned 4 [0077.500] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="USD", cchWideChar=-1, lpMultiByteStr=0x3aeeec, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="USD", lpUsedDefaultChar=0x0) returned 4 [0077.500] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x481cd0 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x14, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x14, lpLCData=0x3aee78, cchData=2 | out: lpLCData="$") returned 2 [0077.500] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="$", cchWideChar=-1, lpMultiByteStr=0x3aeed8, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="$", lpUsedDefaultChar=0x0) returned 2 [0077.500] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x481ce0 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x16, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x16, lpLCData=0x3aee68, cchData=2 | out: lpLCData=".") returned 2 [0077.500] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=-1, lpMultiByteStr=0x3aeec4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".", lpUsedDefaultChar=0x0) returned 2 [0077.500] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x491ff8 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x17, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x17, lpLCData=0x3aee48, cchData=2 | out: lpLCData=",") returned 2 [0077.500] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x3aeeb0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0077.500] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x492008 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x18, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x18, lpLCData=0x3aee88, cchData=4 | out: lpLCData="3;0") returned 4 [0077.500] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3;0", cchWideChar=-1, lpMultiByteStr=0x3aeeec, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3;0", lpUsedDefaultChar=0x0) returned 4 [0077.500] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x492018 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x50, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 1 [0077.500] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x50, lpLCData=0x3aee78, cchData=1 | out: lpLCData="") returned 1 [0077.500] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="", cchWideChar=-1, lpMultiByteStr=0x3aeed8, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="", lpUsedDefaultChar=0x0) returned 1 [0077.501] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1) returned 0x492028 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x51, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x51, lpLCData=0x3aee68, cchData=2 | out: lpLCData="-") returned 2 [0077.501] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="-", cchWideChar=-1, lpMultiByteStr=0x3aeec4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="-", lpUsedDefaultChar=0x0) returned 2 [0077.501] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x493ad0 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2000001a, lpLCData=0x3aeeac, cchData=2 | out: lpLCData="\x02") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20000019, lpLCData=0x3aeee8, cchData=2 | out: lpLCData="\x02") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20000054, lpLCData=0x3aeed4, cchData=2 | out: lpLCData="\x01") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20000055, lpLCData=0x3aeec0, cchData=2 | out: lpLCData="") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20000056, lpLCData=0x3aeeac, cchData=2 | out: lpLCData="\x01") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20000057, lpLCData=0x3aeee8, cchData=2 | out: lpLCData="") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20000052, lpLCData=0x3aeed4, cchData=2 | out: lpLCData="\x03") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20000053, lpLCData=0x3aeec0, cchData=2 | out: lpLCData="") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x15, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.501] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x493ae0 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x15, lpLCData=0x493ae0, cchData=4 | out: lpLCData="USD") returned 4 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x14, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.501] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497578 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x14, lpLCData=0x497578, cchData=2 | out: lpLCData="$") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x16, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.501] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497588 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x16, lpLCData=0x497588, cchData=2 | out: lpLCData=".") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x17, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.501] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497598 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x17, lpLCData=0x497598, cchData=2 | out: lpLCData=",") returned 2 [0077.501] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x50, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 1 [0077.501] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x4975a8 [0077.502] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x50, lpLCData=0x4975a8, cchData=1 | out: lpLCData="") returned 1 [0077.502] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x51, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.502] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4975b8 [0077.502] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x51, lpLCData=0x4975b8, cchData=2 | out: lpLCData="-") returned 2 [0077.502] GetLastError () returned 0x7e [0077.502] SetLastError (dwErrCode=0x7e) [0077.502] GetLastError () returned 0x7e [0077.502] SetLastError (dwErrCode=0x7e) [0077.502] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3a) returned 0x495848 [0077.502] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4834b0 [0077.502] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x50) returned 0x4943d0 [0077.502] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x4975c8 [0077.502] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x4975d8 [0077.502] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0xe, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.502] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0xe, lpLCData=0x3aee88, cchData=2 | out: lpLCData=".") returned 2 [0077.502] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=-1, lpMultiByteStr=0x3aeef0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".", lpUsedDefaultChar=0x0) returned 2 [0077.502] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x4975e8 [0077.502] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0xf, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.502] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0xf, lpLCData=0x3aee78, cchData=2 | out: lpLCData=",") returned 2 [0077.502] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x3aeedc, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0077.502] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x4975f8 [0077.502] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x10, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.502] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x10, lpLCData=0x3aee68, cchData=4 | out: lpLCData="3;0") returned 4 [0077.502] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3;0", cchWideChar=-1, lpMultiByteStr=0x3aeec8, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3;0", lpUsedDefaultChar=0x0) returned 4 [0077.502] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497608 [0077.503] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0xe, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.503] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497618 [0077.503] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0xe, lpLCData=0x497618, cchData=2 | out: lpLCData=".") returned 2 [0077.503] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0xf, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 2 [0077.503] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497628 [0077.503] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0xf, lpLCData=0x497628, cchData=2 | out: lpLCData=",") returned 2 [0077.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x48ef68 | out: hHeap=0x470000) returned 1 [0077.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x494378 | out: hHeap=0x470000) returned 1 [0077.503] GetLastError () returned 0x7e [0077.503] SetLastError (dwErrCode=0x7e) [0077.503] GetLastError () returned 0x7e [0077.503] SetLastError (dwErrCode=0x7e) [0077.503] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3a) returned 0x495890 [0077.503] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4834c8 [0077.503] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x164) returned 0x497960 [0077.504] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4834e0 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x31, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x31, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Mon") returned 4 [0077.504] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Mon", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Mon", lpUsedDefaultChar=0x0) returned 4 [0077.504] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497638 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2a, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 7 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2a, lpLCData=0x3aee58, cchData=7 | out: lpLCData="Monday") returned 7 [0077.504] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Monday", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Monday", lpUsedDefaultChar=0x0) returned 7 [0077.504] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x7) returned 0x497648 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x31, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.504] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497658 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x31, lpLCData=0x497658, cchData=4 | out: lpLCData="Mon") returned 4 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2a, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 7 [0077.504] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe) returned 0x4834f8 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2a, lpLCData=0x4834f8, cchData=7 | out: lpLCData="Monday") returned 7 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x32, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x32, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Tue") returned 4 [0077.504] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Tue", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tue", lpUsedDefaultChar=0x0) returned 4 [0077.504] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497668 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2b, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 8 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2b, lpLCData=0x3aee58, cchData=8 | out: lpLCData="Tuesday") returned 8 [0077.504] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Tuesday", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Tuesday", lpUsedDefaultChar=0x0) returned 8 [0077.504] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497678 [0077.504] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x32, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.504] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497688 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x32, lpLCData=0x497688, cchData=4 | out: lpLCData="Tue") returned 4 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2b, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 8 [0077.505] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x10) returned 0x483510 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2b, lpLCData=0x483510, cchData=8 | out: lpLCData="Tuesday") returned 8 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x33, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x33, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Wed") returned 4 [0077.505] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Wed", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wed", lpUsedDefaultChar=0x0) returned 4 [0077.505] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497698 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2c, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 10 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2c, lpLCData=0x3aee48, cchData=10 | out: lpLCData="Wednesday") returned 10 [0077.505] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Wednesday", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wednesday", lpUsedDefaultChar=0x0) returned 10 [0077.505] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa) returned 0x483528 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x33, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.505] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x4976a8 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x33, lpLCData=0x4976a8, cchData=4 | out: lpLCData="Wed") returned 4 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2c, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 10 [0077.505] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x493af0 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2c, lpLCData=0x493af0, cchData=10 | out: lpLCData="Wednesday") returned 10 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x34, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x34, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Thu") returned 4 [0077.505] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thu", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thu", lpUsedDefaultChar=0x0) returned 4 [0077.505] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4976b8 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2d, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.505] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2d, lpLCData=0x3aee48, cchData=9 | out: lpLCData="Thursday") returned 9 [0077.505] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thursday", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thursday", lpUsedDefaultChar=0x0) returned 9 [0077.506] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x9) returned 0x483540 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x34, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.506] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x4976c8 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x34, lpLCData=0x4976c8, cchData=4 | out: lpLCData="Thu") returned 4 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2d, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.506] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x493b10 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2d, lpLCData=0x493b10, cchData=9 | out: lpLCData="Thursday") returned 9 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x35, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x35, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Fri") returned 4 [0077.506] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Fri", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Fri", lpUsedDefaultChar=0x0) returned 4 [0077.506] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4976d8 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2e, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 7 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2e, lpLCData=0x3aee58, cchData=7 | out: lpLCData="Friday") returned 7 [0077.506] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Friday", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Friday", lpUsedDefaultChar=0x0) returned 7 [0077.506] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x7) returned 0x4976e8 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x35, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.506] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x4976f8 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x35, lpLCData=0x4976f8, cchData=4 | out: lpLCData="Fri") returned 4 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2e, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 7 [0077.506] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe) returned 0x483558 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2e, lpLCData=0x483558, cchData=7 | out: lpLCData="Friday") returned 7 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x36, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x36, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Sat") returned 4 [0077.506] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Sat", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Sat", lpUsedDefaultChar=0x0) returned 4 [0077.506] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497708 [0077.506] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2f, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2f, lpLCData=0x3aee48, cchData=9 | out: lpLCData="Saturday") returned 9 [0077.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Saturday", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Saturday", lpUsedDefaultChar=0x0) returned 9 [0077.507] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x9) returned 0x483570 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x36, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.507] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497718 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x36, lpLCData=0x497718, cchData=4 | out: lpLCData="Sat") returned 4 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2f, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.507] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x493b30 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x2f, lpLCData=0x493b30, cchData=9 | out: lpLCData="Saturday") returned 9 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x37, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x37, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Sun") returned 4 [0077.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Sun", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Sun", lpUsedDefaultChar=0x0) returned 4 [0077.507] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497728 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x30, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 7 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x30, lpLCData=0x3aee58, cchData=7 | out: lpLCData="Sunday") returned 7 [0077.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Sunday", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Sunday", lpUsedDefaultChar=0x0) returned 7 [0077.507] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x7) returned 0x497738 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x37, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.507] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497748 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x37, lpLCData=0x497748, cchData=4 | out: lpLCData="Sun") returned 4 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x30, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 7 [0077.507] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe) returned 0x483588 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x30, lpLCData=0x483588, cchData=7 | out: lpLCData="Sunday") returned 7 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x44, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.507] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x44, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Jan") returned 4 [0077.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Jan", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Jan", lpUsedDefaultChar=0x0) returned 4 [0077.508] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497758 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x38, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 8 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x38, lpLCData=0x3aee58, cchData=8 | out: lpLCData="January") returned 8 [0077.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="January", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="January", lpUsedDefaultChar=0x0) returned 8 [0077.508] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497768 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x44, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.508] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497778 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x44, lpLCData=0x497778, cchData=4 | out: lpLCData="Jan") returned 4 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x38, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 8 [0077.508] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x10) returned 0x4835a0 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x38, lpLCData=0x4835a0, cchData=8 | out: lpLCData="January") returned 8 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x45, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x45, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Feb") returned 4 [0077.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Feb", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Feb", lpUsedDefaultChar=0x0) returned 4 [0077.508] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497788 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x39, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x39, lpLCData=0x3aee48, cchData=9 | out: lpLCData="February") returned 9 [0077.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="February", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="February", lpUsedDefaultChar=0x0) returned 9 [0077.508] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x9) returned 0x4835b8 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x45, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.508] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497798 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x45, lpLCData=0x497798, cchData=4 | out: lpLCData="Feb") returned 4 [0077.508] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x39, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.508] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x493b50 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x39, lpLCData=0x493b50, cchData=9 | out: lpLCData="February") returned 9 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x46, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x46, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Mar") returned 4 [0077.509] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Mar", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Mar", lpUsedDefaultChar=0x0) returned 4 [0077.509] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4977a8 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3a, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 6 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3a, lpLCData=0x3aee58, cchData=6 | out: lpLCData="March") returned 6 [0077.509] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="March", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="March", lpUsedDefaultChar=0x0) returned 6 [0077.509] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x6) returned 0x4977b8 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x46, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.509] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x4977c8 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x46, lpLCData=0x4977c8, cchData=4 | out: lpLCData="Mar") returned 4 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3a, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 6 [0077.509] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xc) returned 0x4835d0 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3a, lpLCData=0x4835d0, cchData=6 | out: lpLCData="March") returned 6 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x47, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x47, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Apr") returned 4 [0077.509] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Apr", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Apr", lpUsedDefaultChar=0x0) returned 4 [0077.509] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4977d8 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3b, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 6 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3b, lpLCData=0x3aee58, cchData=6 | out: lpLCData="April") returned 6 [0077.509] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="April", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="April", lpUsedDefaultChar=0x0) returned 6 [0077.509] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x6) returned 0x4977e8 [0077.509] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x47, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.509] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x4977f8 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x47, lpLCData=0x4977f8, cchData=4 | out: lpLCData="Apr") returned 4 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3b, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 6 [0077.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xc) returned 0x4835e8 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3b, lpLCData=0x4835e8, cchData=6 | out: lpLCData="April") returned 6 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x48, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x48, lpLCData=0x3aee68, cchData=4 | out: lpLCData="May") returned 4 [0077.510] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="May", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="May", lpUsedDefaultChar=0x0) returned 4 [0077.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497808 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3c, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3c, lpLCData=0x3aee58, cchData=4 | out: lpLCData="May") returned 4 [0077.510] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="May", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="May", lpUsedDefaultChar=0x0) returned 4 [0077.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497818 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x48, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497828 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x48, lpLCData=0x497828, cchData=4 | out: lpLCData="May") returned 4 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3c, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497838 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3c, lpLCData=0x497838, cchData=4 | out: lpLCData="May") returned 4 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x49, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x49, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Jun") returned 4 [0077.510] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Jun", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Jun", lpUsedDefaultChar=0x0) returned 4 [0077.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497848 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3d, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 5 [0077.510] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3d, lpLCData=0x3aee58, cchData=5 | out: lpLCData="June") returned 5 [0077.510] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="June", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="June", lpUsedDefaultChar=0x0) returned 5 [0077.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x5) returned 0x497858 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x49, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.511] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497868 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x49, lpLCData=0x497868, cchData=4 | out: lpLCData="Jun") returned 4 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3d, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 5 [0077.511] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa) returned 0x483600 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3d, lpLCData=0x483600, cchData=5 | out: lpLCData="June") returned 5 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4a, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4a, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Jul") returned 4 [0077.511] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Jul", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Jul", lpUsedDefaultChar=0x0) returned 4 [0077.511] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497878 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3e, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 5 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3e, lpLCData=0x3aee58, cchData=5 | out: lpLCData="July") returned 5 [0077.511] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="July", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="July", lpUsedDefaultChar=0x0) returned 5 [0077.511] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x5) returned 0x497888 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4a, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.511] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497898 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4a, lpLCData=0x497898, cchData=4 | out: lpLCData="Jul") returned 4 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3e, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 5 [0077.511] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa) returned 0x483618 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3e, lpLCData=0x483618, cchData=5 | out: lpLCData="July") returned 5 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4b, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4b, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Aug") returned 4 [0077.511] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Aug", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Aug", lpUsedDefaultChar=0x0) returned 4 [0077.511] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4978a8 [0077.511] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3f, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 7 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3f, lpLCData=0x3aee58, cchData=7 | out: lpLCData="August") returned 7 [0077.512] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="August", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="August", lpUsedDefaultChar=0x0) returned 7 [0077.512] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x7) returned 0x4978b8 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4b, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.512] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x4978c8 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4b, lpLCData=0x4978c8, cchData=4 | out: lpLCData="Aug") returned 4 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3f, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 7 [0077.512] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe) returned 0x497ae8 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x3f, lpLCData=0x497ae8, cchData=7 | out: lpLCData="August") returned 7 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4c, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4c, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Sep") returned 4 [0077.512] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Sep", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Sep", lpUsedDefaultChar=0x0) returned 4 [0077.512] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4978d8 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x40, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 10 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x40, lpLCData=0x3aee48, cchData=10 | out: lpLCData="September") returned 10 [0077.512] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="September", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="September", lpUsedDefaultChar=0x0) returned 10 [0077.512] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa) returned 0x497b00 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4c, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.512] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x4978e8 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4c, lpLCData=0x4978e8, cchData=4 | out: lpLCData="Sep") returned 4 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x40, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 10 [0077.512] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x493b70 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x40, lpLCData=0x493b70, cchData=10 | out: lpLCData="September") returned 10 [0077.512] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4d, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4d, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Oct") returned 4 [0077.513] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Oct", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Oct", lpUsedDefaultChar=0x0) returned 4 [0077.513] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4978f8 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x41, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 8 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x41, lpLCData=0x3aee58, cchData=8 | out: lpLCData="October") returned 8 [0077.513] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="October", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="October", lpUsedDefaultChar=0x0) returned 8 [0077.513] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497908 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4d, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.513] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497918 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4d, lpLCData=0x497918, cchData=4 | out: lpLCData="Oct") returned 4 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x41, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 8 [0077.513] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x10) returned 0x497b18 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x41, lpLCData=0x497b18, cchData=8 | out: lpLCData="October") returned 8 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4e, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4e, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Nov") returned 4 [0077.513] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Nov", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Nov", lpUsedDefaultChar=0x0) returned 4 [0077.513] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497928 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x42, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x42, lpLCData=0x3aee48, cchData=9 | out: lpLCData="November") returned 9 [0077.513] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="November", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="November", lpUsedDefaultChar=0x0) returned 9 [0077.513] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x9) returned 0x497b30 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4e, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.513] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497938 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4e, lpLCData=0x497938, cchData=4 | out: lpLCData="Nov") returned 4 [0077.513] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x42, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.513] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x493b90 [0077.514] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x42, lpLCData=0x493b90, cchData=9 | out: lpLCData="November") returned 9 [0077.514] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4f, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.514] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4f, lpLCData=0x3aee68, cchData=4 | out: lpLCData="Dec") returned 4 [0077.514] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Dec", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Dec", lpUsedDefaultChar=0x0) returned 4 [0077.514] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x497948 [0077.514] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x43, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.514] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x43, lpLCData=0x3aee48, cchData=9 | out: lpLCData="December") returned 9 [0077.514] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="December", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="December", lpUsedDefaultChar=0x0) returned 9 [0077.514] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x9) returned 0x497b48 [0077.514] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4f, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 4 [0077.514] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x497ee8 [0077.514] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x4f, lpLCData=0x497ee8, cchData=4 | out: lpLCData="Dec") returned 4 [0077.514] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x43, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.514] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x493bb0 [0077.514] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x43, lpLCData=0x493bb0, cchData=9 | out: lpLCData="December") returned 9 [0077.516] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x28, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 3 [0077.516] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x28, lpLCData=0x3aee68, cchData=3 | out: lpLCData="AM") returned 3 [0077.516] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="AM", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AM", lpUsedDefaultChar=0x0) returned 3 [0077.516] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3) returned 0x497ef8 [0077.516] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x29, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 3 [0077.516] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x29, lpLCData=0x3aee58, cchData=3 | out: lpLCData="PM") returned 3 [0077.516] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="PM", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PM", lpUsedDefaultChar=0x0) returned 3 [0077.516] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3) returned 0x497f08 [0077.516] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x28, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 3 [0077.516] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x6) returned 0x497f18 [0077.516] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x28, lpLCData=0x497f18, cchData=3 | out: lpLCData="AM") returned 3 [0077.516] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x29, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 3 [0077.516] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x6) returned 0x497f28 [0077.516] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x29, lpLCData=0x497f28, cchData=3 | out: lpLCData="PM") returned 3 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1f, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1f, lpLCData=0x3aee68, cchData=9 | out: lpLCData="M/d/yyyy") returned 9 [0077.517] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="M/d/yyyy", cchWideChar=-1, lpMultiByteStr=0x3aeed4, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="M/d/yyyy", lpUsedDefaultChar=0x0) returned 9 [0077.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x9) returned 0x497b60 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 20 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20, lpLCData=0x3aee38, cchData=20 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0077.517] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dddd, MMMM dd, yyyy", cchWideChar=-1, lpMultiByteStr=0x3aeec0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dddd, MMMM dd, yyyy", lpUsedDefaultChar=0x0) returned 20 [0077.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x4982d0 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1003, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 11 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1003, lpLCData=0x3aee38, cchData=11 | out: lpLCData="h:mm:ss tt") returned 11 [0077.517] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="h:mm:ss tt", cchWideChar=-1, lpMultiByteStr=0x3aeeac, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h:mm:ss tt", lpUsedDefaultChar=0x0) returned 11 [0077.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb) returned 0x497b78 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20001009, lpLCData=0x3aee94, cchData=2 | out: lpLCData="\x01") returned 2 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1f, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 9 [0077.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x4982f0 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1f, lpLCData=0x4982f0, cchData=9 | out: lpLCData="M/d/yyyy") returned 9 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 20 [0077.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x28) returned 0x48c358 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x20, lpLCData=0x48c358, cchData=20 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1003, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 11 [0077.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x16) returned 0x498310 [0077.517] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x1003, lpLCData=0x498310, cchData=11 | out: lpLCData="h:mm:ss tt") returned 11 [0077.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a6) returned 0x498330 [0077.518] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x498330 | out: hHeap=0x470000) returned 1 [0077.518] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x492400 | out: hHeap=0x470000) returned 1 [0077.518] GetLastError () returned 0x7e [0077.518] SetLastError (dwErrCode=0x7e) [0077.518] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af554 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x3af554) returned 27 [0077.518] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1f) returned 0x4969b0 [0077.518] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=27, lpMultiByteStr=0x4969b4, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af554 | out: lpMultiByteStr="English_United States.1252", lpUsedDefaultChar=0x3af554) returned 27 [0077.518] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4969d8 [0077.518] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2) returned 0x497f38 [0077.519] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a00 [0077.519] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2) returned 0x497f48 [0077.519] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x497f48 | out: hHeap=0x470000) returned 1 [0077.519] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2) returned 0x497f48 [0077.519] GetLastError () returned 0x7e [0077.519] SetLastError (dwErrCode=0x7e) [0077.519] GetLastError () returned 0x7e [0077.519] SetLastError (dwErrCode=0x7e) [0077.519] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb8) returned 0x498330 [0077.519] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a6) returned 0x4983f0 [0077.520] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4983f0 | out: hHeap=0x470000) returned 1 [0077.520] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4969b0 | out: hHeap=0x470000) returned 1 [0077.520] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4925d8 | out: hHeap=0x470000) returned 1 [0077.520] GetLastError () returned 0x7e [0077.520] SetLastError (dwErrCode=0x7e) [0077.520] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af4d0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x3af4d0) returned 27 [0077.520] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1f) returned 0x4969b0 [0077.520] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=27, lpMultiByteStr=0x4969b4, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af4d0 | out: lpMultiByteStr="English_United States.1252", lpUsedDefaultChar=0x3af4d0) returned 27 [0077.520] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1b) returned 0x496a28 [0077.520] GetLastError () returned 0x7e [0077.520] SetLastError (dwErrCode=0x7e) [0077.520] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x3af6b4, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1 [0077.520] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x497f58 [0077.520] GetLastError () returned 0x7e [0077.520] SetLastError (dwErrCode=0x7e) [0077.520] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x3af6b4, cbMultiByte=-1, lpWideCharStr=0x497f58, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0077.521] GetLastError () returned 0x7e [0077.521] SetLastError (dwErrCode=0x7e) [0077.521] GetLastError () returned 0x7e [0077.521] SetLastError (dwErrCode=0x7e) [0077.521] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb8) returned 0x4925d8 [0077.521] GetLastError () returned 0x7e [0077.521] SetLastError (dwErrCode=0x7e) [0077.521] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a6) returned 0x4983f0 [0077.521] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4983f0 | out: hHeap=0x470000) returned 1 [0077.521] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4969b0 | out: hHeap=0x470000) returned 1 [0077.522] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x498330 | out: hHeap=0x470000) returned 1 [0077.522] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x497f58 | out: hHeap=0x470000) returned 1 [0077.522] GetLastError () returned 0x7e [0077.522] SetLastError (dwErrCode=0x7e) [0077.522] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af4b0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x3af4b0) returned 27 [0077.522] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1f) returned 0x4969b0 [0077.522] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=27, lpMultiByteStr=0x4969b4, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af4b0 | out: lpMultiByteStr="English_United States.1252", lpUsedDefaultChar=0x3af4b0) returned 27 [0077.522] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1b) returned 0x496a50 [0077.522] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x498330 [0077.522] GetLastError () returned 0x7e [0077.522] SetLastError (dwErrCode=0x7e) [0077.522] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x200) returned 0x498350 [0077.522] GetLastError () returned 0x7e [0077.522] SetLastError (dwErrCode=0x7e) [0077.522] GetLastError () returned 0x7e [0077.522] SetLastError (dwErrCode=0x7e) [0077.522] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x497b90 [0077.522] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa0) returned 0x498558 [0077.522] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x497f58 [0077.523] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x497f68 [0077.523] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x498600 [0077.523] GetLastError () returned 0x7e [0077.523] SetLastError (dwErrCode=0x7e) [0077.523] GetLastError () returned 0x7e [0077.523] SetLastError (dwErrCode=0x7e) [0077.523] GetLastError () returned 0x7e [0077.523] SetLastError (dwErrCode=0x7e) [0077.523] GetLastError () returned 0x7e [0077.523] SetLastError (dwErrCode=0x7e) [0077.523] GetLastError () returned 0x7e [0077.523] SetLastError (dwErrCode=0x7e) [0077.523] GetLastError () returned 0x7e [0077.523] SetLastError (dwErrCode=0x7e) [0077.523] GetLastError () returned 0x7e [0077.523] SetLastError (dwErrCode=0x7e) [0077.523] GetLastError () returned 0x7e [0077.523] SetLastError (dwErrCode=0x7e) [0077.523] GetLastError () returned 0x7e [0077.523] SetLastError (dwErrCode=0x7e) [0077.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x497f78 [0077.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x6) returned 0x497f88 [0077.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x5) returned 0x497f98 [0077.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x497fa8 [0077.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x497ba8 [0077.524] GetLastError () returned 0x7e [0077.524] SetLastError (dwErrCode=0x7e) [0077.524] GetLastError () returned 0x7e [0077.524] SetLastError (dwErrCode=0x7e) [0077.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x497bc0 [0077.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x497fb8 [0077.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x497fc8 [0077.525] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x497fd8 [0077.525] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x58) returned 0x498620 [0077.525] GetLastError () returned 0x7e [0077.525] SetLastError (dwErrCode=0x7e) [0077.525] GetLastError () returned 0x7e [0077.525] SetLastError (dwErrCode=0x7e) [0077.525] GetLastError () returned 0x7e [0077.525] SetLastError (dwErrCode=0x7e) [0077.525] GetLastError () returned 0x7e [0077.525] SetLastError (dwErrCode=0x7e) [0077.525] GetLastError () returned 0x7e [0077.525] SetLastError (dwErrCode=0x7e) [0077.525] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x497fe8 [0077.525] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x497ff8 [0077.525] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1) returned 0x498008 [0077.525] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x498018 [0077.525] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x58) returned 0x498680 [0077.525] GetLastError () returned 0x7e [0077.526] SetLastError (dwErrCode=0x7e) [0077.526] GetLastError () returned 0x7e [0077.526] SetLastError (dwErrCode=0x7e) [0077.526] GetLastError () returned 0x7e [0077.526] SetLastError (dwErrCode=0x7e) [0077.526] GetLastError () returned 0x7e [0077.526] SetLastError (dwErrCode=0x7e) [0077.526] GetLastError () returned 0x7e [0077.526] SetLastError (dwErrCode=0x7e) [0077.526] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x498028 [0077.526] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x498038 [0077.526] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1) returned 0x498048 [0077.526] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x498058 [0077.526] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x44) returned 0x488580 [0077.526] GetLastError () returned 0x7e [0077.526] SetLastError (dwErrCode=0x7e) [0077.526] GetLastError () returned 0x7e [0077.526] SetLastError (dwErrCode=0x7e) [0077.526] GetLastError () returned 0x7e [0077.526] SetLastError (dwErrCode=0x7e) [0077.526] GetLastError () returned 0x7e [0077.526] SetLastError (dwErrCode=0x7e) [0077.527] GetLastError () returned 0x7e [0077.527] SetLastError (dwErrCode=0x7e) [0077.527] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x56) returned 0x4986e0 [0077.527] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x56) returned 0x498740 [0077.527] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4986e0 | out: hHeap=0x470000) returned 1 [0077.527] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x56) returned 0x4987b8 [0077.528] GetLastError () returned 0x7e [0077.528] SetLastError (dwErrCode=0x7e) [0077.528] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x87) returned 0x4997a0 [0077.528] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x87) returned 0x499830 [0077.528] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4997a0 | out: hHeap=0x470000) returned 1 [0077.528] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x87) returned 0x4997a0 [0077.528] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xd) returned 0x497bd8 [0077.528] GetLastError () returned 0x7e [0077.528] SetLastError (dwErrCode=0x7e) [0077.528] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x22, lpLCData=0x3af4f0, cchData=2 | out: lpLCData="0") returned 2 [0077.529] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x497bf0 [0077.529] GetLastError () returned 0x7e [0077.529] SetLastError (dwErrCode=0x7e) [0077.529] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x48c) returned 0x4998c0 [0077.529] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x44) returned 0x4885d0 [0077.529] GetLastError () returned 0x7e [0077.529] SetLastError (dwErrCode=0x7e) [0077.529] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x200) returned 0x499d58 [0077.529] GetLastError () returned 0x7e [0077.529] SetLastError (dwErrCode=0x7e) [0077.529] GetLastError () returned 0x7e [0077.529] SetLastError (dwErrCode=0x7e) [0077.529] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x497c08 [0077.529] GetLastError () returned 0x7e [0077.529] SetLastError (dwErrCode=0x7e) [0077.529] GetLastError () returned 0x7e [0077.529] SetLastError (dwErrCode=0x7e) [0077.529] GetLastError () returned 0x7e [0077.529] SetLastError (dwErrCode=0x7e) [0077.530] GetLastError () returned 0x7e [0077.530] SetLastError (dwErrCode=0x7e) [0077.530] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x498068 [0077.530] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x498078 [0077.530] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x499f78 [0077.531] GetLastError () returned 0x7e [0077.531] SetLastError (dwErrCode=0x7e) [0077.531] GetLastError () returned 0x7e [0077.531] SetLastError (dwErrCode=0x7e) [0077.531] GetLastError () returned 0x7e [0077.531] SetLastError (dwErrCode=0x7e) [0077.531] GetLastError () returned 0x7e [0077.531] SetLastError (dwErrCode=0x7e) [0077.531] GetLastError () returned 0x7e [0077.531] SetLastError (dwErrCode=0x7e) [0077.531] GetLastError () returned 0x7e [0077.532] SetLastError (dwErrCode=0x7e) [0077.532] GetLastError () returned 0x7e [0077.532] SetLastError (dwErrCode=0x7e) [0077.532] GetLastError () returned 0x7e [0077.532] SetLastError (dwErrCode=0x7e) [0077.532] GetLastError () returned 0x7e [0077.532] SetLastError (dwErrCode=0x7e) [0077.532] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x498088 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bc, cbMultiByte=1, lpWideCharStr=0x3af490, cchWideChar=1 | out: lpWideCharStr="fI:웜ęڼğ") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bd, cbMultiByte=1, lpWideCharStr=0x3af490, cchWideChar=1 | out: lpWideCharStr="aI:웜ęڼğ") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06be, cbMultiByte=1, lpWideCharStr=0x3af490, cchWideChar=1 | out: lpWideCharStr="lI:웜ęڼğ") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bf, cbMultiByte=1, lpWideCharStr=0x3af490, cchWideChar=1 | out: lpWideCharStr="sI:웜ęڼğ") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c0, cbMultiByte=1, lpWideCharStr=0x3af490, cchWideChar=1 | out: lpWideCharStr="eI:웜ęڼğ") returned 1 [0077.532] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xc) returned 0x497c20 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bc, cbMultiByte=1, lpWideCharStr=0x497c20, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bd, cbMultiByte=1, lpWideCharStr=0x497c22, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06be, cbMultiByte=1, lpWideCharStr=0x497c24, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bf, cbMultiByte=1, lpWideCharStr=0x497c26, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c0, cbMultiByte=1, lpWideCharStr=0x497c28, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c4, cbMultiByte=1, lpWideCharStr=0x3af484, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c5, cbMultiByte=1, lpWideCharStr=0x3af484, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c6, cbMultiByte=1, lpWideCharStr=0x3af484, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c7, cbMultiByte=1, lpWideCharStr=0x3af484, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.532] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa) returned 0x497c38 [0077.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c4, cbMultiByte=1, lpWideCharStr=0x497c38, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0077.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c5, cbMultiByte=1, lpWideCharStr=0x497c3a, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0077.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c6, cbMultiByte=1, lpWideCharStr=0x497c3c, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c7, cbMultiByte=1, lpWideCharStr=0x497c3e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x497c50 [0077.533] GetLastError () returned 0x7e [0077.533] SetLastError (dwErrCode=0x7e) [0077.533] GetLastError () returned 0x7e [0077.533] SetLastError (dwErrCode=0x7e) [0077.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x497c68 [0077.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x498098 [0077.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4980a8 [0077.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4980b8 [0077.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x58) returned 0x498818 [0077.534] GetLastError () returned 0x7e [0077.534] SetLastError (dwErrCode=0x7e) [0077.534] GetLastError () returned 0x7e [0077.534] SetLastError (dwErrCode=0x7e) [0077.534] GetLastError () returned 0x7e [0077.534] SetLastError (dwErrCode=0x7e) [0077.534] GetLastError () returned 0x7e [0077.534] SetLastError (dwErrCode=0x7e) [0077.534] GetLastError () returned 0x7e [0077.534] SetLastError (dwErrCode=0x7e) [0077.534] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x4980c8 [0077.534] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4980d8 [0077.534] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x4980e8 [0077.534] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4980f8 [0077.534] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x58) returned 0x498878 [0077.534] GetLastError () returned 0x7e [0077.534] SetLastError (dwErrCode=0x7e) [0077.534] GetLastError () returned 0x7e [0077.534] SetLastError (dwErrCode=0x7e) [0077.534] GetLastError () returned 0x7e [0077.534] SetLastError (dwErrCode=0x7e) [0077.534] GetLastError () returned 0x7e [0077.535] SetLastError (dwErrCode=0x7e) [0077.535] GetLastError () returned 0x7e [0077.535] SetLastError (dwErrCode=0x7e) [0077.535] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x498108 [0077.535] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x498118 [0077.535] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x498128 [0077.535] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x498138 [0077.535] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x44) returned 0x488620 [0077.535] GetLastError () returned 0x7e [0077.535] SetLastError (dwErrCode=0x7e) [0077.535] GetLastError () returned 0x7e [0077.535] SetLastError (dwErrCode=0x7e) [0077.535] GetLastError () returned 0x7e [0077.535] SetLastError (dwErrCode=0x7e) [0077.535] GetLastError () returned 0x7e [0077.535] SetLastError (dwErrCode=0x7e) [0077.535] GetLastError () returned 0x7e [0077.535] SetLastError (dwErrCode=0x7e) [0077.535] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xac) returned 0x49a760 [0077.535] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xac) returned 0x49a818 [0077.536] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49a760 | out: hHeap=0x470000) returned 1 [0077.536] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xac) returned 0x49a760 [0077.536] GetLastError () returned 0x7e [0077.536] SetLastError (dwErrCode=0x7e) [0077.536] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10e) returned 0x49a8d0 [0077.536] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10e) returned 0x49a9e8 [0077.536] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49a8d0 | out: hHeap=0x470000) returned 1 [0077.536] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x10e) returned 0x49a8d0 [0077.536] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x496a78 [0077.536] GetLastError () returned 0x7e [0077.537] SetLastError (dwErrCode=0x7e) [0077.537] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x22, lpLCData=0x3af4dc, cchData=2 | out: lpLCData="0") returned 2 [0077.537] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x497c80 [0077.537] GetLastError () returned 0x7e [0077.537] SetLastError (dwErrCode=0x7e) [0077.537] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x48c) returned 0x49ab00 [0077.537] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34) returned 0x49af98 [0077.537] GetLastError () returned 0x7e [0077.537] SetLastError (dwErrCode=0x7e) [0077.537] GetLastError () returned 0x7e [0077.537] SetLastError (dwErrCode=0x7e) [0077.537] GetLastError () returned 0x7e [0077.537] SetLastError (dwErrCode=0x7e) [0077.537] GetLastError () returned 0x7e [0077.537] SetLastError (dwErrCode=0x7e) [0077.537] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x44) returned 0x488670 [0077.537] GetLastError () returned 0x7e [0077.538] SetLastError (dwErrCode=0x7e) [0077.538] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x200) returned 0x49afd8 [0077.538] GetLastError () returned 0x7e [0077.538] SetLastError (dwErrCode=0x7e) [0077.538] GetLastError () returned 0x7e [0077.538] SetLastError (dwErrCode=0x7e) [0077.538] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x497c98 [0077.538] GetLastError () returned 0x7e [0077.538] SetLastError (dwErrCode=0x7e) [0077.538] GetLastError () returned 0x7e [0077.538] SetLastError (dwErrCode=0x7e) [0077.538] GetLastError () returned 0x7e [0077.538] SetLastError (dwErrCode=0x7e) [0077.538] GetLastError () returned 0x7e [0077.538] SetLastError (dwErrCode=0x7e) [0077.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x498148 [0077.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x498158 [0077.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x499f98 [0077.539] GetLastError () returned 0x7e [0077.539] SetLastError (dwErrCode=0x7e) [0077.539] GetLastError () returned 0x7e [0077.539] SetLastError (dwErrCode=0x7e) [0077.539] GetLastError () returned 0x7e [0077.539] SetLastError (dwErrCode=0x7e) [0077.539] GetLastError () returned 0x7e [0077.539] SetLastError (dwErrCode=0x7e) [0077.539] GetLastError () returned 0x7e [0077.539] SetLastError (dwErrCode=0x7e) [0077.539] GetLastError () returned 0x7e [0077.539] SetLastError (dwErrCode=0x7e) [0077.539] GetLastError () returned 0x7e [0077.539] SetLastError (dwErrCode=0x7e) [0077.539] GetLastError () returned 0x7e [0077.540] SetLastError (dwErrCode=0x7e) [0077.540] GetLastError () returned 0x7e [0077.540] SetLastError (dwErrCode=0x7e) [0077.540] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x498168 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bc, cbMultiByte=1, lpWideCharStr=0x3af480, cchWideChar=1 | out: lpWideCharStr="fI:옅ęڼğ") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bd, cbMultiByte=1, lpWideCharStr=0x3af480, cchWideChar=1 | out: lpWideCharStr="aI:옅ęڼğ") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06be, cbMultiByte=1, lpWideCharStr=0x3af480, cchWideChar=1 | out: lpWideCharStr="lI:옅ęڼğ") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bf, cbMultiByte=1, lpWideCharStr=0x3af480, cchWideChar=1 | out: lpWideCharStr="sI:옅ęڼğ") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c0, cbMultiByte=1, lpWideCharStr=0x3af480, cchWideChar=1 | out: lpWideCharStr="eI:옅ęڼğ") returned 1 [0077.540] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xc) returned 0x497cb0 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bc, cbMultiByte=1, lpWideCharStr=0x497cb0, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bd, cbMultiByte=1, lpWideCharStr=0x497cb2, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06be, cbMultiByte=1, lpWideCharStr=0x497cb4, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06bf, cbMultiByte=1, lpWideCharStr=0x497cb6, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c0, cbMultiByte=1, lpWideCharStr=0x497cb8, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c4, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c5, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c6, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c7, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.540] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xa) returned 0x497cc8 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c4, cbMultiByte=1, lpWideCharStr=0x497cc8, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c5, cbMultiByte=1, lpWideCharStr=0x497cca, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c6, cbMultiByte=1, lpWideCharStr=0x497ccc, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11f06c7, cbMultiByte=1, lpWideCharStr=0x497cce, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.541] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x3af420, cbMultiByte=1, lpWideCharStr=0x3af414, cchWideChar=1 | out: lpWideCharStr=".ğ:厝ę.") returned 1 [0077.541] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x3af414, cbMultiByte=1, lpWideCharStr=0x3af408, cchWideChar=1 | out: lpWideCharStr=",::厳ę,") returned 1 [0077.541] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x497ce0 [0077.541] GetLastError () returned 0x7e [0077.541] SetLastError (dwErrCode=0x7e) [0077.541] GetLastError () returned 0x7e [0077.541] SetLastError (dwErrCode=0x7e) [0077.541] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x497cf8 [0077.541] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x498178 [0077.541] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x498188 [0077.541] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x498198 [0077.541] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x58) returned 0x4988d8 [0077.542] GetLastError () returned 0x7e [0077.542] SetLastError (dwErrCode=0x7e) [0077.542] GetLastError () returned 0x7e [0077.542] SetLastError (dwErrCode=0x7e) [0077.542] GetLastError () returned 0x7e [0077.542] SetLastError (dwErrCode=0x7e) [0077.542] GetLastError () returned 0x7e [0077.542] SetLastError (dwErrCode=0x7e) [0077.542] GetLastError () returned 0x7e [0077.542] SetLastError (dwErrCode=0x7e) [0077.542] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x4981a8 [0077.542] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x481ce0, cbMultiByte=1, lpWideCharStr=0x3af4a4, cchWideChar=1 | out: lpWideCharStr="$") returned 1 [0077.542] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4981b8 [0077.542] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x481ce0, cbMultiByte=1, lpWideCharStr=0x4981b8, cchWideChar=1 | out: lpWideCharStr="$") returned 1 [0077.542] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x4981c8 [0077.542] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x493ad0, cbMultiByte=1, lpWideCharStr=0x3af4a4, cchWideChar=1 | out: lpWideCharStr="-") returned 1 [0077.542] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x4981d8 [0077.542] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x493ad0, cbMultiByte=1, lpWideCharStr=0x4981d8, cchWideChar=1 | out: lpWideCharStr="-") returned 1 [0077.542] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x3af4a4, cbMultiByte=1, lpWideCharStr=0x3af498, cchWideChar=1 | out: lpWideCharStr=".") returned 1 [0077.542] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x3af498, cbMultiByte=1, lpWideCharStr=0x3af48c, cchWideChar=1 | out: lpWideCharStr=",I:卛ę,") returned 1 [0077.542] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x58) returned 0x498938 [0077.543] GetLastError () returned 0x7e [0077.543] SetLastError (dwErrCode=0x7e) [0077.543] GetLastError () returned 0x7e [0077.543] SetLastError (dwErrCode=0x7e) [0077.543] GetLastError () returned 0x7e [0077.543] SetLastError (dwErrCode=0x7e) [0077.543] GetLastError () returned 0x7e [0077.543] SetLastError (dwErrCode=0x7e) [0077.543] GetLastError () returned 0x7e [0077.543] SetLastError (dwErrCode=0x7e) [0077.543] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x4981e8 [0077.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x481cd0, cbMultiByte=1, lpWideCharStr=0x3af4a4, cchWideChar=1 | out: lpWideCharStr="U") returned 1 [0077.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x481cd1, cbMultiByte=1, lpWideCharStr=0x3af4a4, cchWideChar=1 | out: lpWideCharStr="S") returned 1 [0077.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x481cd2, cbMultiByte=1, lpWideCharStr=0x3af4a4, cchWideChar=1 | out: lpWideCharStr="D") returned 1 [0077.543] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8) returned 0x4981f8 [0077.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x481cd0, cbMultiByte=1, lpWideCharStr=0x4981f8, cchWideChar=1 | out: lpWideCharStr="U") returned 1 [0077.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x481cd1, cbMultiByte=1, lpWideCharStr=0x4981fa, cchWideChar=1 | out: lpWideCharStr="S") returned 1 [0077.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x481cd2, cbMultiByte=1, lpWideCharStr=0x4981fc, cchWideChar=1 | out: lpWideCharStr="D") returned 1 [0077.543] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x498208 [0077.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x493ad0, cbMultiByte=1, lpWideCharStr=0x3af4a4, cchWideChar=1 | out: lpWideCharStr="-") returned 1 [0077.543] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x4) returned 0x498218 [0077.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x493ad0, cbMultiByte=1, lpWideCharStr=0x498218, cchWideChar=1 | out: lpWideCharStr="-") returned 1 [0077.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x3af4a4, cbMultiByte=1, lpWideCharStr=0x3af498, cchWideChar=1 | out: lpWideCharStr=".") returned 1 [0077.544] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x3af498, cbMultiByte=1, lpWideCharStr=0x3af48c, cchWideChar=1 | out: lpWideCharStr=",I:卛ę,") returned 1 [0077.544] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x44) returned 0x4886c0 [0077.544] GetLastError () returned 0x7e [0077.544] SetLastError (dwErrCode=0x7e) [0077.544] GetLastError () returned 0x7e [0077.544] SetLastError (dwErrCode=0x7e) [0077.544] GetLastError () returned 0x7e [0077.544] SetLastError (dwErrCode=0x7e) [0077.544] GetLastError () returned 0x7e [0077.544] SetLastError (dwErrCode=0x7e) [0077.544] GetLastError () returned 0x7e [0077.544] SetLastError (dwErrCode=0x7e) [0077.544] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x56) returned 0x498998 [0077.545] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x498740 | out: hHeap=0x470000) returned 1 [0077.545] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x56) returned 0x4989f8 [0077.545] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x498998 | out: hHeap=0x470000) returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989f8, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989f9, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="SI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fa, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="uI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fb, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="nI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fc, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fd, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="SI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fe, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="uI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989ff, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="nI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a00, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="dI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a01, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a02, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="yI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a03, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a04, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="MI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a05, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="oI:吁ę觸I") returned 1 [0077.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a06, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="nI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a07, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a08, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="MI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a09, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="oI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0a, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="nI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0b, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="dI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0c, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0d, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="yI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0e, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0f, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="TI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a10, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="uI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a11, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="eI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a12, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a13, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="TI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a14, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="uI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a15, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="eI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a16, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="sI:吁ę觸I") returned 1 [0077.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a17, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="dI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a18, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a19, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="yI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1a, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1b, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="WI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1c, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="eI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1d, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="dI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1e, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1f, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="WI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a20, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="eI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a21, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="dI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a22, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="nI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a23, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="eI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a24, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="sI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a25, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="dI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a26, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a27, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="yI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a28, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a29, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="TI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2a, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="hI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2b, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="uI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2c, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2d, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="TI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2e, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="hI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2f, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="uI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a30, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a31, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="sI:吁ę觸I") returned 1 [0077.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a32, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="dI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a33, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a34, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="yI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a35, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a36, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="FI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a37, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a38, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="iI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a39, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3a, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="FI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3b, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3c, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="iI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3d, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="dI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3e, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3f, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="yI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a40, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a41, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="SI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a42, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a43, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="tI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a44, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a45, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="SI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a46, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a47, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="tI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a48, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="uI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a49, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a4a, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="dI:吁ę觸I") returned 1 [0077.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a4b, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吁ę觸I") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a4c, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="yI:吁ę觸I") returned 1 [0077.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xac) returned 0x4986e0 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989f8, cbMultiByte=1, lpWideCharStr=0x4986e0, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989f9, cbMultiByte=1, lpWideCharStr=0x4986e2, cchWideChar=1 | out: lpWideCharStr="S") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fa, cbMultiByte=1, lpWideCharStr=0x4986e4, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fb, cbMultiByte=1, lpWideCharStr=0x4986e6, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fc, cbMultiByte=1, lpWideCharStr=0x4986e8, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fd, cbMultiByte=1, lpWideCharStr=0x4986ea, cchWideChar=1 | out: lpWideCharStr="S") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989fe, cbMultiByte=1, lpWideCharStr=0x4986ec, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x4989ff, cbMultiByte=1, lpWideCharStr=0x4986ee, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a00, cbMultiByte=1, lpWideCharStr=0x4986f0, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a01, cbMultiByte=1, lpWideCharStr=0x4986f2, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a02, cbMultiByte=1, lpWideCharStr=0x4986f4, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a03, cbMultiByte=1, lpWideCharStr=0x4986f6, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a04, cbMultiByte=1, lpWideCharStr=0x4986f8, cchWideChar=1 | out: lpWideCharStr="M") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a05, cbMultiByte=1, lpWideCharStr=0x4986fa, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a06, cbMultiByte=1, lpWideCharStr=0x4986fc, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a07, cbMultiByte=1, lpWideCharStr=0x4986fe, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a08, cbMultiByte=1, lpWideCharStr=0x498700, cchWideChar=1 | out: lpWideCharStr="M") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a09, cbMultiByte=1, lpWideCharStr=0x498702, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0a, cbMultiByte=1, lpWideCharStr=0x498704, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0b, cbMultiByte=1, lpWideCharStr=0x498706, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0c, cbMultiByte=1, lpWideCharStr=0x498708, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0d, cbMultiByte=1, lpWideCharStr=0x49870a, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0077.549] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0e, cbMultiByte=1, lpWideCharStr=0x49870c, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a0f, cbMultiByte=1, lpWideCharStr=0x49870e, cchWideChar=1 | out: lpWideCharStr="T") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a10, cbMultiByte=1, lpWideCharStr=0x498710, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a11, cbMultiByte=1, lpWideCharStr=0x498712, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a12, cbMultiByte=1, lpWideCharStr=0x498714, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a13, cbMultiByte=1, lpWideCharStr=0x498716, cchWideChar=1 | out: lpWideCharStr="T") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a14, cbMultiByte=1, lpWideCharStr=0x498718, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a15, cbMultiByte=1, lpWideCharStr=0x49871a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a16, cbMultiByte=1, lpWideCharStr=0x49871c, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a17, cbMultiByte=1, lpWideCharStr=0x49871e, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a18, cbMultiByte=1, lpWideCharStr=0x498720, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a19, cbMultiByte=1, lpWideCharStr=0x498722, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1a, cbMultiByte=1, lpWideCharStr=0x498724, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1b, cbMultiByte=1, lpWideCharStr=0x498726, cchWideChar=1 | out: lpWideCharStr="W") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1c, cbMultiByte=1, lpWideCharStr=0x498728, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1d, cbMultiByte=1, lpWideCharStr=0x49872a, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1e, cbMultiByte=1, lpWideCharStr=0x49872c, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a1f, cbMultiByte=1, lpWideCharStr=0x49872e, cchWideChar=1 | out: lpWideCharStr="W") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a20, cbMultiByte=1, lpWideCharStr=0x498730, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a21, cbMultiByte=1, lpWideCharStr=0x498732, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a22, cbMultiByte=1, lpWideCharStr=0x498734, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a23, cbMultiByte=1, lpWideCharStr=0x498736, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a24, cbMultiByte=1, lpWideCharStr=0x498738, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a25, cbMultiByte=1, lpWideCharStr=0x49873a, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a26, cbMultiByte=1, lpWideCharStr=0x49873c, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a27, cbMultiByte=1, lpWideCharStr=0x49873e, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0077.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a28, cbMultiByte=1, lpWideCharStr=0x498740, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a29, cbMultiByte=1, lpWideCharStr=0x498742, cchWideChar=1 | out: lpWideCharStr="T") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2a, cbMultiByte=1, lpWideCharStr=0x498744, cchWideChar=1 | out: lpWideCharStr="h") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2b, cbMultiByte=1, lpWideCharStr=0x498746, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2c, cbMultiByte=1, lpWideCharStr=0x498748, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2d, cbMultiByte=1, lpWideCharStr=0x49874a, cchWideChar=1 | out: lpWideCharStr="T") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2e, cbMultiByte=1, lpWideCharStr=0x49874c, cchWideChar=1 | out: lpWideCharStr="h") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a2f, cbMultiByte=1, lpWideCharStr=0x49874e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a30, cbMultiByte=1, lpWideCharStr=0x498750, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a31, cbMultiByte=1, lpWideCharStr=0x498752, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a32, cbMultiByte=1, lpWideCharStr=0x498754, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a33, cbMultiByte=1, lpWideCharStr=0x498756, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a34, cbMultiByte=1, lpWideCharStr=0x498758, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a35, cbMultiByte=1, lpWideCharStr=0x49875a, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a36, cbMultiByte=1, lpWideCharStr=0x49875c, cchWideChar=1 | out: lpWideCharStr="F") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a37, cbMultiByte=1, lpWideCharStr=0x49875e, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a38, cbMultiByte=1, lpWideCharStr=0x498760, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a39, cbMultiByte=1, lpWideCharStr=0x498762, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3a, cbMultiByte=1, lpWideCharStr=0x498764, cchWideChar=1 | out: lpWideCharStr="F") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3b, cbMultiByte=1, lpWideCharStr=0x498766, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3c, cbMultiByte=1, lpWideCharStr=0x498768, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3d, cbMultiByte=1, lpWideCharStr=0x49876a, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3e, cbMultiByte=1, lpWideCharStr=0x49876c, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a3f, cbMultiByte=1, lpWideCharStr=0x49876e, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a40, cbMultiByte=1, lpWideCharStr=0x498770, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a41, cbMultiByte=1, lpWideCharStr=0x498772, cchWideChar=1 | out: lpWideCharStr="S") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a42, cbMultiByte=1, lpWideCharStr=0x498774, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a43, cbMultiByte=1, lpWideCharStr=0x498776, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a44, cbMultiByte=1, lpWideCharStr=0x498778, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a45, cbMultiByte=1, lpWideCharStr=0x49877a, cchWideChar=1 | out: lpWideCharStr="S") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a46, cbMultiByte=1, lpWideCharStr=0x49877c, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a47, cbMultiByte=1, lpWideCharStr=0x49877e, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a48, cbMultiByte=1, lpWideCharStr=0x498780, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a49, cbMultiByte=1, lpWideCharStr=0x498782, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a4a, cbMultiByte=1, lpWideCharStr=0x498784, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a4b, cbMultiByte=1, lpWideCharStr=0x498786, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0077.552] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x498a4c, cbMultiByte=1, lpWideCharStr=0x498788, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0077.552] GetLastError () returned 0x7e [0077.552] SetLastError (dwErrCode=0x7e) [0077.552] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x87) returned 0x49b1e0 [0077.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.553] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x87) returned 0x499830 [0077.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49b1e0 | out: hHeap=0x470000) returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499830, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499831, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="JI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499832, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499833, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="nI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499834, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499835, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="JI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499836, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499837, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="nI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499838, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="uI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499839, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49983a, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49983b, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="yI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49983c, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49983d, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="FI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49983e, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="eI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49983f, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="bI:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499840, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吚ę頰I") returned 1 [0077.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499841, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="FI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499842, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="eI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499843, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="bI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499844, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499845, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="uI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499846, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499847, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499848, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="yI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499849, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49984a, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="MI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49984b, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49984c, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49984d, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49984e, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="MI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49984f, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="aI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499850, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499851, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="cI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499852, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="hI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499853, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499854, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="AI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499855, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="pI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499856, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499857, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr=":I:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499858, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="AI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x499859, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="pI:吚ę頰I") returned 1 [0077.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x49985a, cbMultiByte=1, lpWideCharStr=0x3af474, cchWideChar=1 | out: lpWideCharStr="rI:吚ę頰I") returned 1 [0077.555] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x10e) returned 0x49b1e0 [0077.555] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x496aa0 [0077.555] GetLocaleInfoEx (in: lpLocaleName="en-US", LCType=0x22, lpLCData=0x3af4cc, cchData=2 | out: lpLCData="0") returned 2 [0077.555] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x497d10 [0077.555] GetLastError () returned 0x7e [0077.555] SetLastError (dwErrCode=0x7e) [0077.555] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x48c) returned 0x49b2f8 [0077.555] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34) returned 0x49b790 [0077.555] GetLastError () returned 0x7e [0077.555] SetLastError (dwErrCode=0x7e) [0077.555] GetLastError () returned 0x7e [0077.555] SetLastError (dwErrCode=0x7e) [0077.555] GetLastError () returned 0x7e [0077.555] SetLastError (dwErrCode=0x7e) [0077.555] GetLastError () returned 0x7e [0077.555] SetLastError (dwErrCode=0x7e) [0077.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x497f38 | out: hHeap=0x470000) returned 1 [0077.556] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1b) returned 0x496ac8 [0077.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496ac8 | out: hHeap=0x470000) returned 1 [0077.556] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1) returned 0x497f38 [0077.556] GetLastError () returned 0x7e [0077.556] SetLastError (dwErrCode=0x7e) [0077.556] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x496a28, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 27 [0077.556] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x36) returned 0x49b7e8 [0077.556] GetLastError () returned 0x7e [0077.556] SetLastError (dwErrCode=0x7e) [0077.556] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x496a28, cbMultiByte=-1, lpWideCharStr=0x49b7e8, cchWideChar=27 | out: lpWideCharStr="English_United States.1252") returned 27 [0077.556] GetLastError () returned 0x7e [0077.556] SetLastError (dwErrCode=0x7e) [0077.556] GetLastError () returned 0x7e [0077.556] SetLastError (dwErrCode=0x7e) [0077.557] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb8) returned 0x49cbd0 [0077.557] GetLastError () returned 0x7e [0077.557] SetLastError (dwErrCode=0x7e) [0077.557] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a6) returned 0x49cc90 [0077.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cc90 | out: hHeap=0x470000) returned 1 [0077.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4969b0 | out: hHeap=0x470000) returned 1 [0077.558] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4925d8 | out: hHeap=0x470000) returned 1 [0077.558] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49b7e8 | out: hHeap=0x470000) returned 1 [0077.558] GetLastError () returned 0x7e [0077.558] SetLastError (dwErrCode=0x7e) [0077.558] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af4d8 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x3af4d8) returned 27 [0077.558] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1f) returned 0x4969b0 [0077.558] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=27, lpMultiByteStr=0x4969b4, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af4d8 | out: lpMultiByteStr="English_United States.1252", lpUsedDefaultChar=0x3af4d8) returned 27 [0077.558] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a50 | out: hHeap=0x470000) returned 1 [0077.558] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x470000) returned 1 [0077.558] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49a9e8 | out: hHeap=0x470000) returned 1 [0077.559] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49a818 | out: hHeap=0x470000) returned 1 [0077.559] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.559] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4989f8 | out: hHeap=0x470000) returned 1 [0077.559] GetLastError () returned 0x7e [0077.559] SetLastError (dwErrCode=0x7e) [0077.559] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x497f38, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1 [0077.559] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2) returned 0x498228 [0077.559] GetLastError () returned 0x7e [0077.559] SetLastError (dwErrCode=0x7e) [0077.559] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x497f38, cbMultiByte=-1, lpWideCharStr=0x498228, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0077.559] GetLastError () returned 0x7e [0077.560] SetLastError (dwErrCode=0x7e) [0077.560] GetLastError () returned 0x7e [0077.560] SetLastError (dwErrCode=0x7e) [0077.560] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xb8) returned 0x4925d8 [0077.560] GetLastError () returned 0x7e [0077.560] SetLastError (dwErrCode=0x7e) [0077.560] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a6) returned 0x49cc90 [0077.560] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cc90 | out: hHeap=0x470000) returned 1 [0077.560] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4969b0 | out: hHeap=0x470000) returned 1 [0077.560] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cbd0 | out: hHeap=0x470000) returned 1 [0077.560] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x498228 | out: hHeap=0x470000) returned 1 [0077.560] GetLastError () returned 0x7e [0077.561] SetLastError (dwErrCode=0x7e) [0077.561] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af520 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x3af520) returned 27 [0077.561] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1f) returned 0x4969b0 [0077.561] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="English_United States.1252", cchWideChar=27, lpMultiByteStr=0x4969b4, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x3af520 | out: lpMultiByteStr="English_United States.1252", lpUsedDefaultChar=0x3af520) returned 27 [0077.561] IsDebuggerPresent () returned 0 [0077.561] GetCurrentThread () returned 0xfffffffe [0077.561] GetThreadContext (in: hThread=0xfffffffe, lpContext=0x3af6d4 | out: lpContext=0x3af6d4*(ContextFlags=0x10010, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0077.561] GetUserDefaultLCID () returned 0x409 [0077.561] GetUserDefaultLCID () returned 0x409 [0077.563] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0077.563] GetLastError () returned 0x7e [0077.563] SetLastError (dwErrCode=0x7e) [0077.563] GetLastError () returned 0x7e [0077.563] SetLastError (dwErrCode=0x7e) [0077.563] GetLastError () returned 0x7e [0077.564] SetLastError (dwErrCode=0x7e) [0077.564] GetLastError () returned 0x7e [0077.564] SetLastError (dwErrCode=0x7e) [0077.564] GetLastError () returned 0x7e [0077.564] SetLastError (dwErrCode=0x7e) [0077.564] GetLastError () returned 0x7e [0077.564] SetLastError (dwErrCode=0x7e) [0077.564] GetLastError () returned 0x7e [0077.564] SetLastError (dwErrCode=0x7e) [0077.564] GetLastError () returned 0x7e [0077.564] SetLastError (dwErrCode=0x7e) [0077.564] GetLastError () returned 0x7e [0077.564] SetLastError (dwErrCode=0x7e) [0077.564] GetLastError () returned 0x7e [0077.564] SetLastError (dwErrCode=0x7e) [0077.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af604, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0077.564] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af604, cbMultiByte=7, lpWideCharStr=0x3af580, cchWideChar=7 | out: lpWideCharStr="AppData") returned 7 [0077.564] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x49cbd0 [0077.564] GetEnvironmentVariableW (in: lpName="AppData", lpBuffer=0x49cbd0, nSize=0x104 | out: lpBuffer="") returned 0x22 [0077.564] GetLastError () returned 0x7e [0077.564] SetLastError (dwErrCode=0x7e) [0077.564] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.565] GetLastError () returned 0x7e [0077.565] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] GetLastError () returned 0x7e [0077.566] SetLastError (dwErrCode=0x7e) [0077.566] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a28 [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.567] GetLastError () returned 0x7e [0077.567] SetLastError (dwErrCode=0x7e) [0077.568] GetLastError () returned 0x7e [0077.568] SetLastError (dwErrCode=0x7e) [0077.568] GetLastError () returned 0x7e [0077.568] SetLastError (dwErrCode=0x7e) [0077.568] GetLastError () returned 0x7e [0077.568] SetLastError (dwErrCode=0x7e) [0077.568] GetLastError () returned 0x7e [0077.568] SetLastError (dwErrCode=0x7e) [0077.568] GetLastError () returned 0x7e [0077.568] SetLastError (dwErrCode=0x7e) [0077.568] GetLastError () returned 0x7e [0077.568] SetLastError (dwErrCode=0x7e) [0077.568] GetLastError () returned 0x7e [0077.568] SetLastError (dwErrCode=0x7e) [0077.568] GetLastError () returned 0x7e [0077.568] SetLastError (dwErrCode=0x7e) [0077.568] GetLastError () returned 0x7e [0077.568] SetLastError (dwErrCode=0x7e) [0077.568] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495e88 [0077.569] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x470000) returned 1 [0077.569] GetLastError () returned 0x7e [0077.569] SetLastError (dwErrCode=0x7e) [0077.569] GetLastError () returned 0x7e [0077.569] SetLastError (dwErrCode=0x7e) [0077.569] GetLastError () returned 0x7e [0077.569] SetLastError (dwErrCode=0x7e) [0077.569] GetLastError () returned 0x7e [0077.569] SetLastError (dwErrCode=0x7e) [0077.569] GetLastError () returned 0x7e [0077.569] SetLastError (dwErrCode=0x7e) [0077.569] GetLastError () returned 0x7e [0077.569] SetLastError (dwErrCode=0x7e) [0077.569] GetLastError () returned 0x7e [0077.569] SetLastError (dwErrCode=0x7e) [0077.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a28 [0077.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.570] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x470000) returned 1 [0077.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x495ec0, cbMultiByte=38, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0077.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494378 [0077.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x495ec0, cbMultiByte=38, lpWideCharStr=0x494378, cchWideChar=38 | out: lpWideCharStr="{2A0E9C7B-6BE8-4306-9F73-1057003F605B}") returned 38 [0077.570] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495e88 | out: hHeap=0x470000) returned 1 [0077.570] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.570] GetLastError () returned 0x7e [0077.571] SetLastError (dwErrCode=0x7e) [0077.571] GetLastError () returned 0x7e [0077.571] SetLastError (dwErrCode=0x7e) [0077.571] GetLastError () returned 0x7e [0077.571] SetLastError (dwErrCode=0x7e) [0077.571] GetLastError () returned 0x7e [0077.571] SetLastError (dwErrCode=0x7e) [0077.571] GetLastError () returned 0x7e [0077.571] SetLastError (dwErrCode=0x7e) [0077.571] GetLastError () returned 0x7e [0077.571] SetLastError (dwErrCode=0x7e) [0077.571] GetLastError () returned 0x7e [0077.571] SetLastError (dwErrCode=0x7e) [0077.571] GetLastError () returned 0x7e [0077.571] SetLastError (dwErrCode=0x7e) [0077.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af604, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0077.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af604, cbMultiByte=6, lpWideCharStr=0x3af580, cchWideChar=6 | out: lpWideCharStr="update") returned 6 [0077.571] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8c) returned 0x49a818 [0077.571] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4958d8 [0077.571] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x499fb8 [0077.571] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x499fd8 [0077.571] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x499ff8 [0077.571] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494428 [0077.571] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494480 [0077.571] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfc) returned 0x49a9e8 [0077.572] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x495920 [0077.572] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x49a018 [0077.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af574, cbMultiByte=5, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 5 [0077.572] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af574, cbMultiByte=5, lpWideCharStr=0x3af420, cchWideChar=5 | out: lpWideCharStr=".avdn") returned 5 [0077.572] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a28 [0077.572] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.572] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x470000) returned 1 [0077.572] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488710 [0077.572] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.572] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.573] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488710 | out: hHeap=0x470000) returned 1 [0077.573] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.573] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.573] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49ce90 [0077.573] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.573] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cf88 [0077.574] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49ce90 | out: hHeap=0x470000) returned 1 [0077.574] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x211) returned 0x49d0f8 [0077.574] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cf88 | out: hHeap=0x470000) returned 1 [0077.574] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a28 [0077.574] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.574] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x470000) returned 1 [0077.574] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488710 [0077.575] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.575] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.575] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488710 | out: hHeap=0x470000) returned 1 [0077.575] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.575] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.576] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49ce90 [0077.576] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.576] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cf88 [0077.576] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49ce90 | out: hHeap=0x470000) returned 1 [0077.576] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x211) returned 0x49d318 [0077.576] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cf88 | out: hHeap=0x470000) returned 1 [0077.577] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0f8 | out: hHeap=0x470000) returned 1 [0077.577] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a28 [0077.577] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.578] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x470000) returned 1 [0077.578] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488710 [0077.578] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.578] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a28 [0077.578] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.578] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x470000) returned 1 [0077.578] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.579] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.579] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x49a038 [0077.579] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.579] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49a038 | out: hHeap=0x470000) returned 1 [0077.579] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x48) returned 0x4887b0 [0077.579] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.579] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x499830 [0077.579] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4887b0 | out: hHeap=0x470000) returned 1 [0077.579] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x49cde8 [0077.580] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.580] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xd8) returned 0x49ce80 [0077.580] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.580] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x138) returned 0x49cf60 [0077.580] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49ce80 | out: hHeap=0x470000) returned 1 [0077.580] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.581] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488710 | out: hHeap=0x470000) returned 1 [0077.581] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x49a038 [0077.581] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.581] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49a038 | out: hHeap=0x470000) returned 1 [0077.581] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x48) returned 0x488710 [0077.581] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.581] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a28 [0077.581] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.581] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x470000) returned 1 [0077.581] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.582] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.582] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.582] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.582] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.582] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.582] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d0a0 [0077.582] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.582] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cde8 [0077.583] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.583] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a28 [0077.583] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.583] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496a28 | out: hHeap=0x470000) returned 1 [0077.583] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.583] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.583] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.583] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.583] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49d0a0 [0077.584] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.584] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d148 [0077.584] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.584] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49d538 [0077.584] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d148 | out: hHeap=0x470000) returned 1 [0077.584] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a28 [0077.584] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x49a038 [0077.584] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496a50 [0077.584] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.584] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49a038 | out: hHeap=0x470000) returned 1 [0077.584] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496ac8 [0077.585] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x48) returned 0x488760 [0077.585] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495ec0 | out: hHeap=0x470000) returned 1 [0077.585] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x499830 [0077.585] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.585] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x49d0a0 [0077.585] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.585] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496af0 [0077.585] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496b18 [0077.585] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xd8) returned 0x49d138 [0077.586] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.586] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496b40 [0077.586] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ec0 [0077.586] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496b40 | out: hHeap=0x470000) returned 1 [0077.586] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496b40 [0077.586] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x138) returned 0x49d6a8 [0077.586] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d138 | out: hHeap=0x470000) returned 1 [0077.586] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496b68 [0077.586] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x496b90 [0077.586] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d800 [0077.586] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495e88 [0077.587] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d800 | out: hHeap=0x470000) returned 1 [0077.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c8) returned 0x49d0a0 [0077.587] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d6a8 | out: hHeap=0x470000) returned 1 [0077.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d800 [0077.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495ef8 [0077.587] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d800 | out: hHeap=0x470000) returned 1 [0077.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d800 [0077.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d828 [0077.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d850 [0077.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d878 [0077.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d8a0 [0077.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2a0) returned 0x49dfe8 [0077.588] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d8c8 [0077.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d8f0 [0077.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d918 [0077.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495f30 [0077.588] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d918 | out: hHeap=0x470000) returned 1 [0077.589] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d538 | out: hHeap=0x470000) returned 1 [0077.589] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d918 [0077.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495f68 [0077.589] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d918 | out: hHeap=0x470000) returned 1 [0077.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.589] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495f68 | out: hHeap=0x470000) returned 1 [0077.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.590] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.590] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d0a0 [0077.590] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cde8 [0077.591] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d918 [0077.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495f68 [0077.591] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d918 | out: hHeap=0x470000) returned 1 [0077.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.591] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495f68 | out: hHeap=0x470000) returned 1 [0077.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.591] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49d0a0 [0077.592] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d148 [0077.592] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49d538 [0077.592] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d148 | out: hHeap=0x470000) returned 1 [0077.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d918 [0077.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x49a038 [0077.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d940 [0077.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495f68 [0077.592] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49a038 | out: hHeap=0x470000) returned 1 [0077.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d968 [0077.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x48) returned 0x488760 [0077.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x495f68 | out: hHeap=0x470000) returned 1 [0077.593] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d990 [0077.593] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495f68 [0077.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d990 | out: hHeap=0x470000) returned 1 [0077.593] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x499830 [0077.594] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.594] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d990 [0077.594] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x49d6a8 [0077.594] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d9b8 [0077.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49d9e0 [0077.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xd8) returned 0x49d0a0 [0077.596] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d6a8 | out: hHeap=0x470000) returned 1 [0077.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49da08 [0077.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49da30 [0077.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49da58 [0077.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495fa0 [0077.596] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49da58 | out: hHeap=0x470000) returned 1 [0077.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x138) returned 0x49d6a8 [0077.596] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49da58 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49da80 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49daa8 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dad0 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c8) returned 0x49d0a0 [0077.597] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d6a8 | out: hHeap=0x470000) returned 1 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49daf8 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49db20 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49db48 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49db70 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49db98 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dbc0 [0077.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x495fd8 [0077.598] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dbc0 | out: hHeap=0x470000) returned 1 [0077.598] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2a0) returned 0x49e290 [0077.598] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.598] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dbc0 [0077.598] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dbe8 [0077.598] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dc10 [0077.598] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dc38 [0077.598] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dc60 [0077.598] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dc88 [0077.598] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcb0 [0077.599] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d538 | out: hHeap=0x470000) returned 1 [0077.599] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.599] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcd8 [0077.599] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x496010 [0077.599] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.599] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.600] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496010 | out: hHeap=0x470000) returned 1 [0077.600] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcd8 [0077.600] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x496010 [0077.600] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.600] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x4887b0 [0077.600] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496010 | out: hHeap=0x470000) returned 1 [0077.601] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.601] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0077.601] GetLastError () returned 0x7e [0077.601] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af3c8 | out: lpSystemTimeAsFileTime=0x3af3c8*(dwLowDateTime=0x4e74ed80, dwHighDateTime=0x1d7fb45)) [0077.601] GetLastError () returned 0x7e [0077.601] SetLastError (dwErrCode=0x7e) [0077.601] GetLastError () returned 0x7e [0077.601] SetLastError (dwErrCode=0x7e) [0077.601] GetLastError () returned 0x7e [0077.601] SetLastError (dwErrCode=0x7e) [0077.601] GetLastError () returned 0x7e [0077.601] SetLastError (dwErrCode=0x7e) [0077.601] GetLastError () returned 0x7e [0077.601] SetLastError (dwErrCode=0x7e) [0077.601] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.602] SetLastError (dwErrCode=0x7e) [0077.602] GetLastError () returned 0x7e [0077.603] SetLastError (dwErrCode=0x7e) [0077.603] GetLastError () returned 0x7e [0077.603] SetLastError (dwErrCode=0x7e) [0077.603] GetLastError () returned 0x7e [0077.603] SetLastError (dwErrCode=0x7e) [0077.603] GetLastError () returned 0x7e [0077.603] SetLastError (dwErrCode=0x7e) [0077.603] GetLastError () returned 0x7e [0077.603] SetLastError (dwErrCode=0x7e) [0077.603] GetLastError () returned 0x7e [0077.603] SetLastError (dwErrCode=0x7e) [0077.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af3c4, cbMultiByte=12, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0077.603] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcd8 [0077.603] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af3c4, cbMultiByte=12, lpWideCharStr=0x49dcd8, cchWideChar=12 | out: lpWideCharStr="-readme.html") returned 12 [0077.603] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x496010 [0077.604] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.604] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcd8 [0077.604] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x496048 [0077.604] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.604] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.604] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496048 | out: hHeap=0x470000) returned 1 [0077.604] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.605] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.605] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.605] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.605] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d0a0 [0077.605] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.605] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cde8 [0077.605] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.605] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x211) returned 0x49d0a0 [0077.606] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.606] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x319) returned 0x49e538 [0077.606] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.606] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4a5) returned 0x49e860 [0077.606] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e538 | out: hHeap=0x470000) returned 1 [0077.606] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6f7) returned 0x49ed10 [0077.607] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e860 | out: hHeap=0x470000) returned 1 [0077.607] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa72) returned 0x49f410 [0077.607] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49ed10 | out: hHeap=0x470000) returned 1 [0077.607] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfaa) returned 0x49fe90 [0077.608] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49f410 | out: hHeap=0x470000) returned 1 [0077.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x17a1) returned 0x49e538 [0077.608] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49fe90 | out: hHeap=0x470000) returned 1 [0077.640] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x235f) returned 0x49fce8 [0077.641] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e538 | out: hHeap=0x470000) returned 1 [0077.641] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34fc) returned 0x4a2050 [0077.642] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49fce8 | out: hHeap=0x470000) returned 1 [0077.642] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4f68) returned 0x4a5558 [0077.643] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a2050 | out: hHeap=0x470000) returned 1 [0077.643] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcd8 [0077.643] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x496048 [0077.644] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.644] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.644] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496048 | out: hHeap=0x470000) returned 1 [0077.644] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.644] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.644] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.645] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.645] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d0a0 [0077.645] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.645] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cde8 [0077.645] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.645] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x211) returned 0x49d0a0 [0077.645] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.645] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x319) returned 0x4aa4c8 [0077.646] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.646] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4a5) returned 0x4aa7f0 [0077.646] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4aa4c8 | out: hHeap=0x470000) returned 1 [0077.646] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6f7) returned 0x4aaca0 [0077.646] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4aa7f0 | out: hHeap=0x470000) returned 1 [0077.646] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa72) returned 0x4ab3a0 [0077.647] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4aaca0 | out: hHeap=0x470000) returned 1 [0077.647] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfaa) returned 0x4abe20 [0077.647] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ab3a0 | out: hHeap=0x470000) returned 1 [0077.647] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x17a1) returned 0x4aa4c8 [0077.647] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4abe20 | out: hHeap=0x470000) returned 1 [0077.647] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x235f) returned 0x49e538 [0077.647] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4aa4c8 | out: hHeap=0x470000) returned 1 [0077.648] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34fc) returned 0x4a08a0 [0077.648] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e538 | out: hHeap=0x470000) returned 1 [0077.648] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4f68) returned 0x4aa4c8 [0077.649] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a08a0 | out: hHeap=0x470000) returned 1 [0077.649] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3eb3) returned 0x49e538 [0077.649] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4aa4c8 | out: hHeap=0x470000) returned 1 [0077.649] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a5558 | out: hHeap=0x470000) returned 1 [0077.649] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcd8 [0077.649] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x496048 [0077.650] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.650] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.650] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496048 | out: hHeap=0x470000) returned 1 [0077.650] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.650] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.650] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.650] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.650] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d0a0 [0077.651] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.651] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cde8 [0077.651] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.651] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x211) returned 0x49d0a0 [0077.651] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.651] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x319) returned 0x4a23f8 [0077.652] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.652] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4a5) returned 0x4a2720 [0077.652] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a23f8 | out: hHeap=0x470000) returned 1 [0077.652] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6f7) returned 0x4a2bd0 [0077.652] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a2720 | out: hHeap=0x470000) returned 1 [0077.652] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa72) returned 0x4a32d0 [0077.652] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a2bd0 | out: hHeap=0x470000) returned 1 [0077.652] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfaa) returned 0x4a3d50 [0077.653] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a32d0 | out: hHeap=0x470000) returned 1 [0077.653] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x17a1) returned 0x4a23f8 [0077.653] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a3d50 | out: hHeap=0x470000) returned 1 [0077.653] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x235f) returned 0x4a3ba8 [0077.653] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a23f8 | out: hHeap=0x470000) returned 1 [0077.653] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34fc) returned 0x4a5f10 [0077.654] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a3ba8 | out: hHeap=0x470000) returned 1 [0077.654] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4f68) returned 0x4a9418 [0077.654] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a5f10 | out: hHeap=0x470000) returned 1 [0077.654] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcd8 [0077.654] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x496048 [0077.654] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.654] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.654] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496048 | out: hHeap=0x470000) returned 1 [0077.654] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.655] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.655] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.655] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.655] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d0a0 [0077.656] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.656] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cde8 [0077.656] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.656] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x211) returned 0x49d0a0 [0077.656] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.656] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x319) returned 0x4ae388 [0077.656] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.656] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4a5) returned 0x4ae6b0 [0077.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae388 | out: hHeap=0x470000) returned 1 [0077.657] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6f7) returned 0x4aeb60 [0077.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae6b0 | out: hHeap=0x470000) returned 1 [0077.657] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa72) returned 0x4af260 [0077.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4aeb60 | out: hHeap=0x470000) returned 1 [0077.657] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfaa) returned 0x4afce0 [0077.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4af260 | out: hHeap=0x470000) returned 1 [0077.657] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x17a1) returned 0x4ae388 [0077.658] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4afce0 | out: hHeap=0x470000) returned 1 [0077.658] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x235f) returned 0x4afb38 [0077.658] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae388 | out: hHeap=0x470000) returned 1 [0077.658] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34fc) returned 0x4a23f8 [0077.658] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4afb38 | out: hHeap=0x470000) returned 1 [0077.658] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4f68) returned 0x4ae388 [0077.659] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a23f8 | out: hHeap=0x470000) returned 1 [0077.659] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x7d33) returned 0x4b32f8 [0077.660] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e538 | out: hHeap=0x470000) returned 1 [0077.660] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae388 | out: hHeap=0x470000) returned 1 [0077.661] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a9418 | out: hHeap=0x470000) returned 1 [0077.662] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcd8 [0077.662] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x496048 [0077.662] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.662] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.663] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496048 | out: hHeap=0x470000) returned 1 [0077.663] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.663] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.663] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.663] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.663] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d0a0 [0077.663] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.663] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cde8 [0077.664] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.664] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x211) returned 0x49d0a0 [0077.664] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.664] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x319) returned 0x4bb038 [0077.664] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.664] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4a5) returned 0x4bb360 [0077.665] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4bb038 | out: hHeap=0x470000) returned 1 [0077.665] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6f7) returned 0x4bb810 [0077.665] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4bb360 | out: hHeap=0x470000) returned 1 [0077.665] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa72) returned 0x4bbf10 [0077.665] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4bb810 | out: hHeap=0x470000) returned 1 [0077.665] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfaa) returned 0x4bc990 [0077.666] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4bbf10 | out: hHeap=0x470000) returned 1 [0077.666] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x17a1) returned 0x4bb038 [0077.666] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4bc990 | out: hHeap=0x470000) returned 1 [0077.666] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x235f) returned 0x4bc7e8 [0077.666] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4bb038 | out: hHeap=0x470000) returned 1 [0077.666] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34fc) returned 0x49e538 [0077.667] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4bc7e8 | out: hHeap=0x470000) returned 1 [0077.667] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4f68) returned 0x4a1a40 [0077.667] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e538 | out: hHeap=0x470000) returned 1 [0077.668] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dcd8 [0077.668] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x496048 [0077.668] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.668] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.668] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496048 | out: hHeap=0x470000) returned 1 [0077.668] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x499830 [0077.668] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.668] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x49cde8 [0077.669] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.669] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x49d0a0 [0077.669] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.669] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x49cde8 [0077.669] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e538 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e860 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49ed10 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49f410 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49fe90 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e538 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4bb038 | out: hHeap=0x470000) returned 1 [0077.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49e538 | out: hHeap=0x470000) returned 1 [0077.672] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b32f8 | out: hHeap=0x470000) returned 1 [0077.672] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a69b0 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4a1a40 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496048 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c6c00 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dcd8 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x496048 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x499830 | out: hHeap=0x470000) returned 1 [0077.674] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.674] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.674] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49cde8 | out: hHeap=0x470000) returned 1 [0077.674] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49d0a0 | out: hHeap=0x470000) returned 1 [0077.674] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c6c00 | out: hHeap=0x470000) returned 1 [0077.674] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4bb038 | out: hHeap=0x470000) returned 1 [0077.674] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c73d8 | out: hHeap=0x470000) returned 1 [0077.674] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c6f28 | out: hHeap=0x470000) returned 1 [0077.674] RtlInitializeConditionVariable () returned 0x4944fc [0077.674] GetLastError () returned 0x7e [0077.674] SetLastError (dwErrCode=0x7e) [0077.674] GetLastError () returned 0x7e [0077.674] SetLastError (dwErrCode=0x7e) [0077.674] GetLastError () returned 0x7e [0077.674] SetLastError (dwErrCode=0x7e) [0077.674] GetLastError () returned 0x7e [0077.674] SetLastError (dwErrCode=0x7e) [0077.674] GetLastError () returned 0x7e [0077.674] SetLastError (dwErrCode=0x7e) [0077.674] GetLastError () returned 0x7e [0077.675] SetLastError (dwErrCode=0x7e) [0077.675] GetLastError () returned 0x7e [0077.675] SetLastError (dwErrCode=0x7e) [0077.675] GetLastError () returned 0x7e [0077.675] SetLastError (dwErrCode=0x7e) [0077.675] GetLastError () returned 0x7e [0077.675] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{2A0E9C7B-6BE8-4306-9F73-1057003F605B}") returned 0x0 [0077.675] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="{2A0E9C7B-6BE8-4306-9F73-1057003F605B}") returned 0xdc [0077.676] GetCurrentProcess () returned 0xffffffff [0077.676] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3af350 | out: TokenHandle=0x3af350*=0xd8) returned 1 [0077.676] GetTokenInformation (in: TokenHandle=0xd8, TokenInformationClass=0x14, TokenInformation=0x3af358, TokenInformationLength=0x4, ReturnLength=0x3af354 | out: TokenInformation=0x3af358, ReturnLength=0x3af354) returned 1 [0077.676] CloseHandle (hObject=0xd8) returned 1 [0077.676] GetCurrentProcess () returned 0xffffffff [0077.676] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3af2d0 | out: TokenHandle=0x3af2d0*=0xd8) returned 1 [0077.676] GetTokenInformation (in: TokenHandle=0xd8, TokenInformationClass=0x14, TokenInformation=0x3af2d8, TokenInformationLength=0x4, ReturnLength=0x3af2d4 | out: TokenInformation=0x3af2d8, ReturnLength=0x3af2d4) returned 1 [0077.676] CloseHandle (hObject=0xd8) returned 1 [0077.676] GetLastError () returned 0x0 [0077.676] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dd78 [0077.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af2ac, cbMultiByte=9, lpWideCharStr=0x49dd78, cchWideChar=9 | out: lpWideCharStr="EnableLUA") returned 9 [0077.676] GetLastError () returned 0x0 [0077.676] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dda0 [0077.676] GetLastError () returned 0x0 [0077.676] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x4960b8 [0077.677] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dda0 | out: hHeap=0x470000) returned 1 [0077.677] GetLastError () returned 0x0 [0077.677] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.678] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4960b8 | out: hHeap=0x470000) returned 1 [0077.678] GetLastError () returned 0x0 [0077.678] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dda0 [0077.678] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x4960b8 [0077.678] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dda0 | out: hHeap=0x470000) returned 1 [0077.678] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488850 [0077.678] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4960b8 | out: hHeap=0x470000) returned 1 [0077.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x488850, cbMultiByte=57, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 57 [0077.678] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4b1dd8 [0077.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x488850, cbMultiByte=57, lpWideCharStr=0x4b1dd8, cchWideChar=57 | out: lpWideCharStr="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0077.679] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.679] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488850 | out: hHeap=0x470000) returned 1 [0077.679] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", ulOptions=0x0, samDesired=0xf003f, phkResult=0x3af354 | out: phkResult=0x3af354*=0xd8) returned 0x0 [0077.679] RegSetValueExW (in: hKey=0xd8, lpValueName="EnableLUA", Reserved=0x0, dwType=0x4, lpData=0x3af350*=0x0, cbData=0x4 | out: lpData=0x3af350*=0x0) returned 0x0 [0077.690] RegCloseKey (hKey=0xd8) returned 0x0 [0077.690] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b1dd8 | out: hHeap=0x470000) returned 1 [0077.690] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dd78 | out: hHeap=0x470000) returned 1 [0077.690] GetLastError () returned 0x0 [0077.690] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dd78 [0077.691] GetLastError () returned 0x0 [0077.691] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dda0 [0077.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x49dda0, cbMultiByte=26, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 26 [0077.691] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4b0870 [0077.691] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x49dda0, cbMultiByte=26, lpWideCharStr=0x4b0870, cchWideChar=26 | out: lpWideCharStr="ConsentPromptBehaviorAdmin") returned 26 [0077.691] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dd78 | out: hHeap=0x470000) returned 1 [0077.691] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dda0 | out: hHeap=0x470000) returned 1 [0077.691] GetLastError () returned 0x0 [0077.691] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dda0 [0077.691] GetLastError () returned 0x0 [0077.691] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x4960b8 [0077.692] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dda0 | out: hHeap=0x470000) returned 1 [0077.692] GetLastError () returned 0x0 [0077.692] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488850 [0077.692] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4960b8 | out: hHeap=0x470000) returned 1 [0077.692] GetLastError () returned 0x0 [0077.692] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dda0 [0077.692] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x4960b8 [0077.693] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dda0 | out: hHeap=0x470000) returned 1 [0077.693] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488760 [0077.693] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4960b8 | out: hHeap=0x470000) returned 1 [0077.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x488760, cbMultiByte=57, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 57 [0077.693] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4b1dd8 [0077.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x488760, cbMultiByte=57, lpWideCharStr=0x4b1dd8, cchWideChar=57 | out: lpWideCharStr="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0077.693] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488850 | out: hHeap=0x470000) returned 1 [0077.694] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488760 | out: hHeap=0x470000) returned 1 [0077.694] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", ulOptions=0x0, samDesired=0xf003f, phkResult=0x3af354 | out: phkResult=0x3af354*=0xd8) returned 0x0 [0077.694] RegSetValueExW (in: hKey=0xd8, lpValueName="ConsentPromptBehaviorAdmin", Reserved=0x0, dwType=0x4, lpData=0x3af350*=0x0, cbData=0x4 | out: lpData=0x3af350*=0x0) returned 0x0 [0077.696] RegCloseKey (hKey=0xd8) returned 0x0 [0077.697] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b1dd8 | out: hHeap=0x470000) returned 1 [0077.697] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b0870 | out: hHeap=0x470000) returned 1 [0077.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x180) returned 0x49cbd0 [0077.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x180) returned 0x49cd58 [0077.697] CryptAcquireContextW (in: phProv=0x49d7a4, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x49d7a4*=0x4b1dd8) returned 1 [0078.078] CryptAcquireContextW (in: phProv=0x49d76c, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0x0 | out: phProv=0x49d76c*=0x0) returned 0 [0078.528] GetLastError () returned 0x80090016 [0078.528] CryptAcquireContextW (in: phProv=0x49d76c, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0x8 | out: phProv=0x49d76c*=0x4b32b0) returned 1 [0078.693] CryptStringToBinaryA (in: pszString="BgIAAACkAABSU0ExAAgAAAEAAQA/ZPdUr/Us5yRNTuqDBK6ARGEWG3HW9s7spN3ZzNG9rgAlU5tdznuR9cthtGYk5jJSoxU52BmC7sawLgTth2MYzv894fF8piKzssNIc0togiK1fmx47zKIZZjiHH3CYdvmlgR+qVQouUnZt1yOR/h8n5cGqHvzXjvgpGMxx9y5+YerCaDEcUJcxrXcnzBMs2PZYZUz99duZXI3pyAXOE9oXK5jh56NohkklKpmgchs5v8yLiz4iexvtGm5Yd99tr/gjw51x46U1aAzwx0kIPjK+srhkRR/3qFJOQ2c65NSvctC4v138pJdEzBLuenoB1GKcfaaU/EQJm3qAKQMeyXu", cchString=0x0, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x3af35c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x3af35c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.693] GetProcessHeap () returned 0x470000 [0078.693] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x114) returned 0x4b8160 [0078.693] CryptStringToBinaryA (in: pszString="BgIAAACkAABSU0ExAAgAAAEAAQA/ZPdUr/Us5yRNTuqDBK6ARGEWG3HW9s7spN3ZzNG9rgAlU5tdznuR9cthtGYk5jJSoxU52BmC7sawLgTth2MYzv894fF8piKzssNIc0togiK1fmx47zKIZZjiHH3CYdvmlgR+qVQouUnZt1yOR/h8n5cGqHvzXjvgpGMxx9y5+YerCaDEcUJcxrXcnzBMs2PZYZUz99duZXI3pyAXOE9oXK5jh56NohkklKpmgchs5v8yLiz4iexvtGm5Yd99tr/gjw51x46U1aAzwx0kIPjK+srhkRR/3qFJOQ2c65NSvctC4v138pJdEzBLuenoB1GKcfaaU/EQJm3qAKQMeyXu", cchString=0x0, dwFlags=0x1, pbBinary=0x4b8160, pcbBinary=0x3af35c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x4b8160, pcbBinary=0x3af35c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.693] CryptImportKey (in: hProv=0x4b1dd8, pbData=0x4b8160, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x49d7a0 | out: phKey=0x49d7a0*=0x49b828) returned 1 [0078.694] GetProcessHeap () returned 0x470000 [0078.694] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b8160 | out: hHeap=0x470000) returned 1 [0078.694] CryptGenKey (in: hProv=0x4b32b0, Algid=0x6610, dwFlags=0x1, phKey=0x49d7a8 | out: phKey=0x49d7a8*=0x49b8e8) returned 1 [0078.695] CryptExportKey (in: hKey=0x49b8e8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x0, pdwDataLen=0x3af32c | out: pbData=0x0*, pdwDataLen=0x3af32c*=0x2c) returned 1 [0078.695] CryptEncrypt (in: hKey=0x49b828, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x3af32c*=0x2c, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x3af32c*=0x100) returned 1 [0078.695] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x110) returned 0x4b85d8 [0078.695] CryptExportKey (in: hKey=0x49b8e8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4b85d8, pdwDataLen=0x3af330 | out: pbData=0x4b85d8*, pdwDataLen=0x3af330*=0x2c) returned 1 [0078.695] CryptEncrypt (in: hKey=0x49b828, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b85d8*, pdwDataLen=0x3af330*=0x2c, dwBufLen=0x100 | out: pbData=0x4b85d8*, pdwDataLen=0x3af330*=0x100) returned 1 [0078.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr=".avdn", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0078.695] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr=".avdn", cchWideChar=5, lpMultiByteStr=0x3af270, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".avdn", lpUsedDefaultChar=0x0) returned 5 [0078.695] CryptEncrypt (in: hKey=0x49b828, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x3af32c*=0x2c, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x3af32c*=0x100) returned 1 [0078.695] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x110) returned 0x4b8160 [0078.695] CryptEncrypt (in: hKey=0x49b828, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b8160*, pdwDataLen=0x3af330*=0x5, dwBufLen=0x100 | out: pbData=0x4b8160*, pdwDataLen=0x3af330*=0x100) returned 1 [0078.695] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4baad8 [0078.696] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b8160 | out: hHeap=0x470000) returned 1 [0078.696] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b85d8 | out: hHeap=0x470000) returned 1 [0078.696] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494588 [0078.696] GetLastError () returned 0x0 [0078.696] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dd78 [0078.696] GetLastError () returned 0x0 [0078.696] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x4960b8 [0078.697] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dd78 | out: hHeap=0x470000) returned 1 [0078.697] GetLastError () returned 0x0 [0078.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x488850 [0078.697] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4960b8 | out: hHeap=0x470000) returned 1 [0078.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dd78 [0078.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x4960b8 [0078.697] GetLastError () returned 0x0 [0078.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4b3860 [0078.697] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3af044, cbMultiByte=12, lpWideCharStr=0x4b3860, cchWideChar=12 | out: lpWideCharStr="api.myip.com") returned 12 [0078.697] GetLastError () returned 0x0 [0078.697] InternetOpenW (lpszAgent="WinInet", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0080.082] InternetConnectW (hInternet=0xcc0004, lpszServerName="api.myip.com", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x400000, dwContext=0x1) returned 0xcc0008 [0080.089] GetLastError () returned 0x0 [0080.089] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4c1110 [0080.089] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3aeba4, cbMultiByte=8, lpWideCharStr=0x4c1110, cchWideChar=8 | out: lpWideCharStr="HTTP/1.1") returned 8 [0080.089] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x800000, dwContext=0x1) returned 0xcc000c [0081.004] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c1110 | out: hHeap=0x470000) returned 1 [0081.004] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0088.885] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x3aec64, dwNumberOfBytesToRead=0x3ff, lpdwNumberOfBytesRead=0x3aec60 | out: lpBuffer=0x3aec64*, lpdwNumberOfBytesRead=0x3aec60*=0x35) returned 1 [0088.886] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e5b0 [0088.886] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e6a0 [0088.886] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e5b0 | out: hHeap=0x470000) returned 1 [0088.886] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x3aec64, dwNumberOfBytesToRead=0x3ff, lpdwNumberOfBytesRead=0x3aec60 | out: lpBuffer=0x3aec64*, lpdwNumberOfBytesRead=0x3aec60*=0x0) returned 1 [0088.886] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0088.886] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0088.886] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0088.887] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d5d8 [0088.887] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e6a0 | out: hHeap=0x470000) returned 1 [0088.887] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3860 | out: hHeap=0x470000) returned 1 [0088.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="88.153.199.169", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0088.888] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="88.153.199.169", cchWideChar=14, lpMultiByteStr=0x3af1c0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="88.153.199.169", lpUsedDefaultChar=0x0) returned 14 [0088.888] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0218 [0088.888] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x410) returned 0x4c6488 [0088.888] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x4b3860 [0088.888] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d538 [0088.888] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3860 | out: hHeap=0x470000) returned 1 [0088.888] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x410) returned 0x4c68a0 [0088.888] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x430) returned 0x2c56178 [0088.889] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6d538 | out: hHeap=0x470000) returned 1 [0088.889] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c68a0 | out: hHeap=0x470000) returned 1 [0088.889] CryptAcquireContextW (in: phProv=0x3af1c8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3af1c8*=0x4d4080) returned 1 [0088.890] CryptImportKey (in: hProv=0x4d4080, pbData=0x3af180, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x3af1d8 | out: phKey=0x3af1d8*=0x2c5f490) returned 1 [0088.891] CryptSetKeyParam (hKey=0x2c5f490, dwParam=0x1, pbData=0x49dd78, dwFlags=0x0) returned 1 [0088.891] CryptSetKeyParam (hKey=0x2c5f490, dwParam=0x4, pbData=0x3af1ac*=0x1, dwFlags=0x0) returned 1 [0088.891] CryptDuplicateKey (in: hKey=0x2c5f490, pdwReserved=0x0, dwFlags=0x0, phKey=0x3af1d0 | out: phKey=0x3af1d0*=0x2c5f450) returned 1 [0088.891] CryptEncrypt (in: hKey=0x2c5f450, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x3af1d4*=0x421, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x3af1d4*=0x430) returned 1 [0088.892] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x430) returned 0x4c68a0 [0088.892] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x647) returned 0x2c565b0 [0088.892] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c68a0 | out: hHeap=0x470000) returned 1 [0088.892] CryptEncrypt (in: hKey=0x2c5f450, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2c565b0*, pdwDataLen=0x3af1cc*=0x421, dwBufLen=0x430 | out: pbData=0x2c565b0*, pdwDataLen=0x3af1cc*=0x430) returned 1 [0088.893] CryptDestroyKey (hKey=0x2c5f450) returned 1 [0088.893] CryptDestroyKey (hKey=0x2c5f490) returned 1 [0088.893] CryptReleaseContext (hProv=0x4d4080, dwFlags=0x0) returned 1 [0088.893] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c56178 | out: hHeap=0x470000) returned 1 [0088.893] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d538 [0088.893] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98970 [0088.894] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6d538 | out: hHeap=0x470000) returned 1 [0088.894] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x2c8a0c0 [0088.894] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98970 | out: hHeap=0x470000) returned 1 [0088.894] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x2c5e6a0 [0088.894] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a0c0 | out: hHeap=0x470000) returned 1 [0088.894] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x2bf6930 [0088.894] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e6a0 | out: hHeap=0x470000) returned 1 [0088.894] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x2c25560 [0088.894] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2bf6930 | out: hHeap=0x470000) returned 1 [0088.895] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x2c617d8 [0088.895] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c25560 | out: hHeap=0x470000) returned 1 [0088.895] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x211) returned 0x2c84150 [0088.895] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c617d8 | out: hHeap=0x470000) returned 1 [0088.895] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x319) returned 0x4c5fb8 [0088.895] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c84150 | out: hHeap=0x470000) returned 1 [0088.895] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4a5) returned 0x2c56c00 [0088.895] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c5fb8 | out: hHeap=0x470000) returned 1 [0088.895] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6f7) returned 0x2ca8d90 [0088.896] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c56c00 | out: hHeap=0x470000) returned 1 [0088.896] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c565b0 | out: hHeap=0x470000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5a0) returned 0x2c56178 [0088.896] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8d90 | out: hHeap=0x470000) returned 1 [0088.896] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d538 [0088.896] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98970 [0088.897] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6d538 | out: hHeap=0x470000) returned 1 [0088.897] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x2c8a0c0 [0088.897] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98970 | out: hHeap=0x470000) returned 1 [0088.897] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6a) returned 0x2c5e6a0 [0088.897] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a0c0 | out: hHeap=0x470000) returned 1 [0088.898] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x9e) returned 0x2bf6930 [0088.898] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e6a0 | out: hHeap=0x470000) returned 1 [0088.898] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xec) returned 0x2c25560 [0088.898] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2bf6930 | out: hHeap=0x470000) returned 1 [0088.898] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x161) returned 0x2c617d8 [0088.898] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c25560 | out: hHeap=0x470000) returned 1 [0088.898] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x211) returned 0x2c84150 [0088.898] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c617d8 | out: hHeap=0x470000) returned 1 [0088.898] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x319) returned 0x4c5fb8 [0088.899] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c84150 | out: hHeap=0x470000) returned 1 [0088.899] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4a5) returned 0x2c56720 [0088.899] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c5fb8 | out: hHeap=0x470000) returned 1 [0088.899] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6f7) returned 0x2c56bd0 [0088.899] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c56720 | out: hHeap=0x470000) returned 1 [0088.899] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa72) returned 0x2ca8d90 [0088.900] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c56bd0 | out: hHeap=0x470000) returned 1 [0088.900] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c56178 | out: hHeap=0x470000) returned 1 [0088.900] GetLastError () returned 0x0 [0088.900] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x780) returned 0x2c56178 [0088.901] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c56178 | out: hHeap=0x470000) returned 1 [0088.901] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8d90 | out: hHeap=0x470000) returned 1 [0088.901] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c6488 | out: hHeap=0x470000) returned 1 [0088.901] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0218 | out: hHeap=0x470000) returned 1 [0088.902] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6d5d8 | out: hHeap=0x470000) returned 1 [0088.902] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4960b8 | out: hHeap=0x470000) returned 1 [0088.902] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dd78 | out: hHeap=0x470000) returned 1 [0088.903] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488850 | out: hHeap=0x470000) returned 1 [0088.903] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x494588 | out: hHeap=0x470000) returned 1 [0088.903] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x494588 [0088.903] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0218 [0088.918] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4d0218, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\Avaddon_09_06_2020_1054KB.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\avaddon_09_06_2020_1054kb.exe")) returned 0x38 [0088.918] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4e43f8 [0088.918] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2c85b98 [0088.918] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2bd49f8 [0088.918] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c85b98 | out: hHeap=0x470000) returned 1 [0088.920] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4e43f8 | out: hHeap=0x470000) returned 1 [0088.920] CopyFileW (lpExistingFileName="C:\\Users\\kEecfMwgj\\Desktop\\Avaddon_09_06_2020_1054KB.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\avaddon_09_06_2020_1054kb.exe"), lpNewFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\avaddon_09_06_2020_1054kb.exe"), bFailIfExists=0) returned 1 [0089.145] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0218 | out: hHeap=0x470000) returned 1 [0089.146] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x494588 | out: hHeap=0x470000) returned 1 [0089.146] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x552398 [0089.146] GetLastError () returned 0x0 [0089.146] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dd78 [0089.146] GetLastError () returned 0x0 [0089.146] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x4960b8 [0089.146] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dd78 | out: hHeap=0x470000) returned 1 [0089.146] GetLastError () returned 0x0 [0089.146] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dd78 [0089.146] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98970 [0089.147] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dd78 | out: hHeap=0x470000) returned 1 [0089.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x2c98970, cbMultiByte=45, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 45 [0089.147] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c46cc8 [0089.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x2c98970, cbMultiByte=45, lpWideCharStr=0x2c46cc8, cchWideChar=45 | out: lpWideCharStr="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0089.147] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4960b8 | out: hHeap=0x470000) returned 1 [0089.151] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98970 | out: hHeap=0x470000) returned 1 [0089.151] RegCreateKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", phkResult=0x3af308 | out: phkResult=0x3af308*=0x504) returned 0x0 [0089.151] RegSetValueExW (in: hKey=0x504, lpValueName="update", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe", cbData=0x80 | out: lpData="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe") returned 0x0 [0089.152] RegCloseKey (hKey=0x504) returned 0x0 [0089.152] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c46cc8 | out: hHeap=0x470000) returned 1 [0089.153] GetLastError () returned 0x0 [0089.153] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dd78 [0089.153] GetLastError () returned 0x0 [0089.153] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98970 [0089.153] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dd78 | out: hHeap=0x470000) returned 1 [0089.153] GetLastError () returned 0x0 [0089.153] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x49dd78 [0089.153] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c989a8 [0089.154] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x49dd78 | out: hHeap=0x470000) returned 1 [0089.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x2c989a8, cbMultiByte=45, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 45 [0089.154] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c46cc8 [0089.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x2c989a8, cbMultiByte=45, lpWideCharStr=0x2c46cc8, cchWideChar=45 | out: lpWideCharStr="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0089.154] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98970 | out: hHeap=0x470000) returned 1 [0089.154] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c989a8 | out: hHeap=0x470000) returned 1 [0089.154] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", phkResult=0x3af308 | out: phkResult=0x3af308*=0x504) returned 0x0 [0089.155] RegSetValueExW (in: hKey=0x504, lpValueName="update", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe", cbData=0x80 | out: lpData="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe") returned 0x0 [0089.156] RegCloseKey (hKey=0x504) returned 0x0 [0089.157] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c46cc8 | out: hHeap=0x470000) returned 1 [0089.157] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0089.158] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0089.170] CoCreateInstance (in: rclsid=0x11f3840*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x11f3830*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0x3af2e0 | out: ppv=0x3af2e0*=0x72ff68) returned 0x0 [0090.206] TaskScheduler:ITaskService:Connect (This=0x72ff68, serverName=0x3af1cc*(varType=0x0, wReserved1=0x77a5, wReserved2=0xfcab, wReserved3=0xe2, varVal1=0x5c001d, varVal2=0x1f5), user=0x3af1dc*(varType=0x0, wReserved1=0x769c, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x4dbe78), domain=0x3af1ec*(varType=0x0, wReserved1=0x0, wReserved2=0xc0c8, wReserved3=0x4d, varVal1=0x3af280, varVal2=0x77a0e003), password=0x3af1fc*(varType=0x0, wReserved1=0x3a, wReserved2=0x621f, wReserved3=0x77a1, varVal1=0x77a16224, varVal2=0x7778c04f)) returned 0x0 [0090.210] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x2c4aa38 [0090.210] TaskScheduler:ITaskService:GetFolder (in: This=0x72ff68, Path="\\", ppFolder=0x3af2e4 | out: ppFolder=0x3af2e4*=0x29f0448) returned 0x0 [0090.213] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c4aa38 | out: hHeap=0x470000) returned 1 [0090.213] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x2c4aa38 [0090.213] ITaskFolder:DeleteTask (This=0x29f0448, Name="update", flags=0) returned 0x80070002 [0090.217] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c4aa38 | out: hHeap=0x470000) returned 1 [0090.219] TaskScheduler:ITaskService:NewTask (in: This=0x72ff68, flags=0x0, ppDefinition=0x3af2e8 | out: ppDefinition=0x3af2e8*=0x29f04a0) returned 0x0 [0090.221] TaskScheduler:IUnknown:Release (This=0x72ff68) returned 0x1 [0090.221] ITaskDefinition:get_RegistrationInfo (in: This=0x29f04a0, ppRegistrationInfo=0x3af2c0 | out: ppRegistrationInfo=0x3af2c0*=0x29f0560) returned 0x0 [0090.222] IUnknown:Release (This=0x29f0560) returned 0x1 [0090.222] ITaskDefinition:get_Triggers (in: This=0x29f04a0, ppTriggers=0x3af2d0 | out: ppTriggers=0x3af2d0*=0x29f05d0) returned 0x0 [0090.222] ITriggerCollection:Create (in: This=0x29f05d0, Type=2, ppTrigger=0x3af2cc | out: ppTrigger=0x3af2cc*=0x29f0750) returned 0x0 [0090.223] IUnknown:Release (This=0x29f05d0) returned 0x1 [0090.223] IUnknown:QueryInterface (in: This=0x29f0750, riid=0x11f3820*(Data1=0x126c5cd8, Data2=0xb288, Data3=0x41d5, Data4=([0]=0x8d, [1]=0xbf, [2]=0xe4, [3]=0x91, [4]=0x44, [5]=0x6a, [6]=0xdc, [7]=0x5c)), ppvObject=0x3af2dc | out: ppvObject=0x3af2dc*=0x29f0750) returned 0x0 [0090.223] IUnknown:Release (This=0x29f0750) returned 0x2 [0090.223] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x2c4aa08 [0090.223] ITrigger:put_Id (This=0x29f0750, Id="Trigger1") returned 0x0 [0090.223] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c4aa08 | out: hHeap=0x470000) returned 1 [0090.223] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af12c | out: lpSystemTimeAsFileTime=0x3af12c*(dwLowDateTime=0x500011c0, dwHighDateTime=0x1d7fb45)) [0090.223] GetEnvironmentStringsW () returned 0x2cad148* [0090.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1415, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1415 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x587) returned 0x2cadc60 [0090.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1415, lpMultiByteStr=0x2cadc60, cbMultiByte=1415, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1415 [0090.224] FreeEnvironmentStringsW (penv=0x2cad148) returned 1 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x98) returned 0x4be418 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1f) returned 0x2c6dee8 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2b) returned 0x2c98a88 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x37) returned 0x2c5f650 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3c) returned 0x2c96990 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x31) returned 0x2c5f690 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x18) returned 0x2c99e88 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x24) returned 0x2ca4158 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x14) returned 0x2c99ea8 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xd) returned 0x2c4aa08 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x2c6df10 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2e) returned 0x2c98ac0 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x19) returned 0x2c6df38 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x17) returned 0x2c99ec8 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xe) returned 0x2c4aa80 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x95) returned 0x4be4b8 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3e) returned 0x2c969d8 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1b) returned 0x2c6df60 [0090.224] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1d) returned 0x2c6df88 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x48) returned 0x2c8a200 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x2c99f08 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x18) returned 0x2c99f28 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1b) returned 0x2c6dfb0 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x24) returned 0x2ca4188 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x29) returned 0x2c98af8 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1e) returned 0x2c6dfd8 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x6b) returned 0x2c5e6a0 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x17) returned 0x2c99ee8 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xf) returned 0x2c4aa68 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x16) returned 0x2c99f48 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2a) returned 0x2c98b30 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x29) returned 0x2c98b68 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x16) returned 0x2c99f68 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x13) returned 0x2c99f88 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1f) returned 0x2c6e000 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x12) returned 0x2c99fa8 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x18) returned 0x2c99fc8 [0090.225] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x46) returned 0x2c8a250 [0090.226] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cadc60 | out: hHeap=0x470000) returned 1 [0090.226] GetLastError () returned 0x0 [0090.226] CompareStringEx (lpLocaleName="en-US", dwCmpFlags=0x1001, lpString1="OS◘I￿翿㑨H㑨H\x02", cchCount1=2, lpString2="TZĝ쳌", cchCount2=2, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0) returned 1 [0090.226] GetTimeZoneInformation (in: lpTimeZoneInformation=0x1260590 | out: lpTimeZoneInformation=0x1260590) returned 0x1 [0090.281] GetLastError () returned 0x0 [0090.281] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x110) returned 0x2c3fb10 [0090.281] GetLastError () returned 0x0 [0090.281] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x24) returned 0x2ca41b8 [0090.281] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x9, lpMultiByteStr=0x11fe610, cbMultiByte=-1, lpWideCharStr=0x2ca41b8, cchWideChar=18 | out: lpWideCharStr="%Y-%m-%dT%H:%M:%S") returned 18 [0090.281] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x208) returned 0x2c57378 [0090.281] GetLastError () returned 0x0 [0090.282] ITrigger:put_StartBoundary (This=0x29f0750, StartBoundary="2021-12-27T18:16:14") returned 0x0 [0090.282] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c4aa98 | out: hHeap=0x470000) returned 1 [0090.282] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98ba0 | out: hHeap=0x470000) returned 1 [0090.282] IDailyTrigger:put_DaysInterval (This=0x29f0750, DaysInterval=1) returned 0x0 [0090.282] ITrigger:get_Repetition (in: This=0x29f0750, ppRepeat=0x3af2d8 | out: ppRepeat=0x3af2d8*=0x29f07a0) returned 0x0 [0090.282] IUnknown:Release (This=0x29f0750) returned 0x1 [0090.282] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x2c4aa98 [0090.282] IRepetitionPattern:put_Interval (This=0x29f07a0, Interval="PT10M") returned 0x0 [0090.282] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c4aa98 | out: hHeap=0x470000) returned 1 [0090.282] IUnknown:Release (This=0x29f07a0) returned 0x1 [0090.282] ITaskDefinition:get_Actions (in: This=0x29f04a0, ppActions=0x3af2c8 | out: ppActions=0x3af2c8*=0x29f0518) returned 0x0 [0090.282] IActionCollection:Create (in: This=0x29f0518, Type=0, ppAction=0x3af2c4 | out: ppAction=0x3af2c4*=0x29f07e8) returned 0x0 [0090.283] IUnknown:Release (This=0x29f0518) returned 0x1 [0090.283] IUnknown:QueryInterface (in: This=0x29f07e8, riid=0x11f3850*(Data1=0x4c3d624d, Data2=0xfd6b, Data3=0x49a3, Data4=([0]=0xb9, [1]=0xb7, [2]=0x9, [3]=0xcb, [4]=0x3c, [5]=0xd3, [6]=0xf0, [7]=0x47)), ppvObject=0x3af2d4 | out: ppvObject=0x3af2d4*=0x29f07e8) returned 0x0 [0090.283] IUnknown:Release (This=0x29f07e8) returned 0x2 [0090.283] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x2c4aa98 [0090.283] IExecAction:put_Path (This=0x29f07e8, Path="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe") returned 0x0 [0090.283] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c4aa98 | out: hHeap=0x470000) returned 1 [0090.283] ITaskDefinition:get_Settings (in: This=0x29f04a0, ppSettings=0x3af2bc | out: ppSettings=0x3af2bc*=0x29f0610) returned 0x0 [0090.283] ITaskSettings:put_Hidden (This=0x29f0610, Hidden=1) returned 0x0 [0090.302] ITaskDefinition:put_Settings (This=0x29f04a0, Settings=0x29f0610) returned 0x0 [0090.302] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x2c4aa98 [0090.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x11fdcba, cbMultiByte=1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1 [0090.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x11fdcba, cbMultiByte=1, lpWideCharStr=0x3af190, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0090.303] SysStringByteLen (bstr="") returned 0x0 [0090.303] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x2c4aaf8 [0090.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x11fdcba, cbMultiByte=1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1 [0090.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x11fdcba, cbMultiByte=1, lpWideCharStr=0x3af190, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0090.303] SysStringByteLen (bstr="") returned 0x0 [0090.303] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x2c4ab40 [0090.303] ITaskFolder:RegisterTaskDefinition (in: This=0x29f0448, Path="update", pDefinition=0x29f04a0, flags=6, UserId=0x3af1d4*(varType=0x8, wReserved1=0x0, wReserved2=0xc0c8, wReserved3=0x4d, varVal1="", varVal2=0x77a0e003), password=0x3af1e4*(varType=0x8, wReserved1=0x769c, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x4dbe78), LogonType=0, sddl=0x3af1f8*(varType=0x8, wReserved1=0x77a5, wReserved2=0xfcab, wReserved3=0xe2, varVal1="", varVal2=0x1f5), ppTask=0x3af2b8 | out: ppTask=0x3af2b8*=0x29f0850) returned 0x0 [0090.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c4ab40 | out: hHeap=0x470000) returned 1 [0090.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c4aaf8 | out: hHeap=0x470000) returned 1 [0090.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c4aa98 | out: hHeap=0x470000) returned 1 [0090.503] TaskScheduler:IUnknown:Release (This=0x29f0448) returned 0x0 [0090.503] TaskScheduler:IUnknown:Release (This=0x29f04a0) returned 0x0 [0090.503] IUnknown:Release (This=0x29f0850) returned 0x0 [0090.503] CoUninitialize () [0090.513] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x552398 | out: hHeap=0x470000) returned 1 [0090.514] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2bd49f8 | out: hHeap=0x470000) returned 1 [0090.514] GetLogicalDrives () returned 0x4 [0090.514] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0218 [0090.515] WNetGetConnectionW (in: lpLocalName="A:", lpRemoteName=0x4d0218, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.518] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x2c99e28 [0090.518] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0440 [0090.518] WNetGetConnectionW (in: lpLocalName="B:", lpRemoteName=0x4d0440, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.519] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98c10 [0090.519] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c99e28 | out: hHeap=0x470000) returned 1 [0090.519] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0668 [0090.519] WNetGetConnectionW (in: lpLocalName="C:", lpRemoteName=0x4d0668, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.520] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0668 | out: hHeap=0x470000) returned 1 [0090.520] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0668 [0090.520] WNetGetConnectionW (in: lpLocalName="D:", lpRemoteName=0x4d0668, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.521] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x48) returned 0x2c8a0c0 [0090.522] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98c10 | out: hHeap=0x470000) returned 1 [0090.522] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0890 [0090.522] WNetGetConnectionW (in: lpLocalName="E:", lpRemoteName=0x4d0890, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.522] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c46cc8 [0090.523] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a0c0 | out: hHeap=0x470000) returned 1 [0090.523] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0ab8 [0090.523] WNetGetConnectionW (in: lpLocalName="F:", lpRemoteName=0x4d0ab8, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.523] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2bd49f8 [0090.524] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c46cc8 | out: hHeap=0x470000) returned 1 [0090.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0ce0 [0090.524] WNetGetConnectionW (in: lpLocalName="G:", lpRemoteName=0x4d0ce0, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.525] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d0f08 [0090.525] WNetGetConnectionW (in: lpLocalName="H:", lpRemoteName=0x4d0f08, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.526] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xd8) returned 0x5676f8 [0090.526] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2bd49f8 | out: hHeap=0x470000) returned 1 [0090.526] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d1130 [0090.526] WNetGetConnectionW (in: lpLocalName="I:", lpRemoteName=0x4d1130, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.527] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d1358 [0090.527] WNetGetConnectionW (in: lpLocalName="J:", lpRemoteName=0x4d1358, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.527] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d1580 [0090.527] WNetGetConnectionW (in: lpLocalName="K:", lpRemoteName=0x4d1580, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.528] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x138) returned 0x4e3748 [0090.528] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x5676f8 | out: hHeap=0x470000) returned 1 [0090.528] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d17a8 [0090.528] WNetGetConnectionW (in: lpLocalName="L:", lpRemoteName=0x4d17a8, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.529] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d19d0 [0090.529] WNetGetConnectionW (in: lpLocalName="M:", lpRemoteName=0x4d19d0, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.530] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d1bf8 [0090.530] WNetGetConnectionW (in: lpLocalName="N:", lpRemoteName=0x4d1bf8, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.530] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d1e20 [0090.530] WNetGetConnectionW (in: lpLocalName="O:", lpRemoteName=0x4d1e20, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.531] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c8) returned 0x2be5338 [0090.531] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4e3748 | out: hHeap=0x470000) returned 1 [0090.531] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d2048 [0090.531] WNetGetConnectionW (in: lpLocalName="P:", lpRemoteName=0x4d2048, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.532] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d2270 [0090.532] WNetGetConnectionW (in: lpLocalName="Q:", lpRemoteName=0x4d2270, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.532] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d2498 [0090.532] WNetGetConnectionW (in: lpLocalName="R:", lpRemoteName=0x4d2498, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d26c0 [0090.533] WNetGetConnectionW (in: lpLocalName="S:", lpRemoteName=0x4d26c0, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.534] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d28e8 [0090.534] WNetGetConnectionW (in: lpLocalName="T:", lpRemoteName=0x4d28e8, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.534] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d2b10 [0090.534] WNetGetConnectionW (in: lpLocalName="U:", lpRemoteName=0x4d2b10, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.535] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2a0) returned 0x4c5fb8 [0090.535] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2be5338 | out: hHeap=0x470000) returned 1 [0090.535] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d2d38 [0090.535] WNetGetConnectionW (in: lpLocalName="V:", lpRemoteName=0x4d2d38, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.536] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d2f60 [0090.536] WNetGetConnectionW (in: lpLocalName="W:", lpRemoteName=0x4d2f60, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.536] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0090.536] WNetGetConnectionW (in: lpLocalName="X:", lpRemoteName=0x4d3188, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.537] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d33b0 [0090.537] WNetGetConnectionW (in: lpLocalName="Y:", lpRemoteName=0x4d33b0, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.537] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x2c6ed68 [0090.538] WNetGetConnectionW (in: lpLocalName="Z:", lpRemoteName=0x2c6ed68, lpnLength=0x3af2ac | out: lpRemoteName="", lpnLength=0x3af2ac) returned 0x8ca [0090.538] FindFirstVolumeW (in: lpszVolumeName=0x3af0d0, cchBufferLength=0x104 | out: lpszVolumeName="\\\\?\\Volume{e051b542-7147-11eb-bfc5-806e6f6e6963}\\") returned 0x4c6260 [0090.539] QueryDosDeviceW (in: lpDeviceName="Volume{e051b542-7147-11eb-bfc5-806e6f6e6963}", lpTargetPath=0x3aeec8, ucchMax=0x104 | out: lpTargetPath="\\Device\\HarddiskVolume1") returned 0x19 [0090.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98c10 [0090.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e5b0 [0090.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x2c6ef90 [0090.539] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{e051b542-7147-11eb-bfc5-806e6f6e6963}\\", lpszVolumePathNames=0x2c6ef90, cchBufferLength=0x104, lpcchReturnLength=0x3aee58 | out: lpszVolumePathNames=0x2c6ef90, lpcchReturnLength=0x3aee58) returned 1 [0090.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x48) returned 0x2c8a0c0 [0090.539] FindNextVolumeW (in: hFindVolume=0x4c6260, lpszVolumeName=0x3af0d0, cchBufferLength=0x104 | out: hFindVolume=0x4c6260, lpszVolumeName="\\\\?\\Volume{e051b542-7147-11eb-bfc5-806e6f6e6963}\\") returned 0 [0090.539] FindVolumeClose (hFindVolume=0x4c6260) returned 1 [0090.540] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6ef90 | out: hHeap=0x470000) returned 1 [0090.540] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e5b0 | out: hHeap=0x470000) returned 1 [0090.540] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98c10 | out: hHeap=0x470000) returned 1 [0090.540] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a0c0 | out: hHeap=0x470000) returned 1 [0090.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0218 | out: hHeap=0x470000) returned 1 [0090.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0440 | out: hHeap=0x470000) returned 1 [0090.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0668 | out: hHeap=0x470000) returned 1 [0090.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0890 | out: hHeap=0x470000) returned 1 [0090.542] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0ab8 | out: hHeap=0x470000) returned 1 [0090.542] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0ce0 | out: hHeap=0x470000) returned 1 [0090.542] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d0f08 | out: hHeap=0x470000) returned 1 [0090.542] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d1130 | out: hHeap=0x470000) returned 1 [0090.542] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d1358 | out: hHeap=0x470000) returned 1 [0090.543] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d1580 | out: hHeap=0x470000) returned 1 [0090.543] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d17a8 | out: hHeap=0x470000) returned 1 [0090.545] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d19d0 | out: hHeap=0x470000) returned 1 [0090.545] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d1bf8 | out: hHeap=0x470000) returned 1 [0090.545] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d1e20 | out: hHeap=0x470000) returned 1 [0090.546] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d2048 | out: hHeap=0x470000) returned 1 [0090.546] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d2270 | out: hHeap=0x470000) returned 1 [0090.546] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d2498 | out: hHeap=0x470000) returned 1 [0090.546] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d26c0 | out: hHeap=0x470000) returned 1 [0090.547] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d28e8 | out: hHeap=0x470000) returned 1 [0090.547] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d2b10 | out: hHeap=0x470000) returned 1 [0090.547] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d2d38 | out: hHeap=0x470000) returned 1 [0090.547] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d2f60 | out: hHeap=0x470000) returned 1 [0090.548] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0090.548] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d33b0 | out: hHeap=0x470000) returned 1 [0090.548] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6ed68 | out: hHeap=0x470000) returned 1 [0090.548] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c5fb8 | out: hHeap=0x470000) returned 1 [0090.548] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x258) returned 0x4c5fb8 [0090.548] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e050 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6de98 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e0a0 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e078 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6da38 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98c10 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6db00 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6da60 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6da88 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98bd8 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98ba0 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6dab0 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6dad8 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d678 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d8a8 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d880 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d718 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d9c0 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98a18 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x258) returned 0x4c6488 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d560 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d808 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6d858 [0090.549] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6dbc8 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6dba0 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c989e0 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6dc40 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6dc18 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6dc90 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98970 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c989a8 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6dec0 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6dcb8 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e0c8 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e0f0 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e118 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e140 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e168 [0090.550] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98a50 [0090.550] GetTickCount () returned 0xec23c9 [0090.550] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.551] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="DefWatch", dwDesiredAccess=0x2c) returned 0x0 [0090.551] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.551] GetTickCount () returned 0xec23c9 [0090.551] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.552] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="ccEvtMgr", dwDesiredAccess=0x2c) returned 0x0 [0090.552] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.552] GetTickCount () returned 0xec23c9 [0090.552] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.552] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="ccSetMgr", dwDesiredAccess=0x2c) returned 0x0 [0090.553] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.553] GetTickCount () returned 0xec23c9 [0090.553] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.553] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="SavRoam", dwDesiredAccess=0x2c) returned 0x0 [0090.553] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.553] GetTickCount () returned 0xec23c9 [0090.553] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.554] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="dbsrv12", dwDesiredAccess=0x2c) returned 0x0 [0090.554] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.554] GetTickCount () returned 0xec23c9 [0090.554] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.554] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="sqlservr", dwDesiredAccess=0x2c) returned 0x0 [0090.555] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.555] GetTickCount () returned 0xec23c9 [0090.555] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.555] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="sqlagent", dwDesiredAccess=0x2c) returned 0x0 [0090.555] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.555] GetTickCount () returned 0xec23c9 [0090.555] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.556] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="Intuit.QuickBooks.FCS", dwDesiredAccess=0x2c) returned 0x0 [0090.556] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.557] GetTickCount () returned 0xec23d9 [0090.557] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.557] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="dbeng8", dwDesiredAccess=0x2c) returned 0x0 [0090.557] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.557] GetTickCount () returned 0xec23d9 [0090.557] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.558] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="sqladhlp", dwDesiredAccess=0x2c) returned 0x0 [0090.558] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.558] GetTickCount () returned 0xec23d9 [0090.558] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.558] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="QBIDPService", dwDesiredAccess=0x2c) returned 0x0 [0090.558] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.559] GetTickCount () returned 0xec23d9 [0090.559] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.559] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="Culserver", dwDesiredAccess=0x2c) returned 0x0 [0090.559] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.559] GetTickCount () returned 0xec23d9 [0090.559] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.560] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="RTVscan", dwDesiredAccess=0x2c) returned 0x0 [0090.560] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.560] GetTickCount () returned 0xec23d9 [0090.560] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.561] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="vmware-usbarbitator64", dwDesiredAccess=0x2c) returned 0x0 [0090.561] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.561] GetTickCount () returned 0xec23d9 [0090.561] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.561] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="vmware-converter", dwDesiredAccess=0x2c) returned 0x0 [0090.562] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.562] GetTickCount () returned 0xec23d9 [0090.562] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.562] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="VMAuthdService", dwDesiredAccess=0x2c) returned 0x0 [0090.562] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.563] GetTickCount () returned 0xec23d9 [0090.563] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.563] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="VMnetDHCP", dwDesiredAccess=0x2c) returned 0x0 [0090.563] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.563] GetTickCount () returned 0xec23d9 [0090.563] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.564] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="VMUSBArbService", dwDesiredAccess=0x2c) returned 0x0 [0090.564] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.564] GetTickCount () returned 0xec23d9 [0090.564] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.564] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="VMwareHostd", dwDesiredAccess=0x2c) returned 0x0 [0090.565] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.565] GetTickCount () returned 0xec23d9 [0090.565] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.565] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="sqlbrowser", dwDesiredAccess=0x2c) returned 0x0 [0090.565] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.566] GetTickCount () returned 0xec23d9 [0090.566] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.566] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="SQLADHLP", dwDesiredAccess=0x2c) returned 0x0 [0090.566] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.566] GetTickCount () returned 0xec23d9 [0090.566] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.567] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="sqlwriter", dwDesiredAccess=0x2c) returned 0x0 [0090.567] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.567] GetTickCount () returned 0xec23d9 [0090.567] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.567] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="msmdsrv", dwDesiredAccess=0x2c) returned 0x0 [0090.568] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.568] GetTickCount () returned 0xec23d9 [0090.568] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.568] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="tomcat6", dwDesiredAccess=0x2c) returned 0x0 [0090.568] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.568] GetTickCount () returned 0xec23d9 [0090.568] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e1b8 [0090.569] OpenServiceW (hSCManager=0x2c6e1b8, lpServiceName="QBCFMonitorService", dwDesiredAccess=0x2c) returned 0x0 [0090.569] CloseServiceHandle (hSCObject=0x2c6e1b8) returned 1 [0090.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x258) returned 0x2c4ddb0 [0090.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e1e0 [0090.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e1b8 [0090.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e190 [0090.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e208 [0090.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e230 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98c48 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e258 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e280 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e2a8 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98c80 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98cb8 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e2d0 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e2f8 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e320 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e348 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e370 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e398 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e3c0 [0090.570] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98cf0 [0090.570] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.570] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="DefWatch", dwDesiredAccess=0x10020) returned 0x0 [0090.571] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.571] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.571] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="ccEvtMgr", dwDesiredAccess=0x10020) returned 0x0 [0090.571] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.572] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.572] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="ccSetMgr", dwDesiredAccess=0x10020) returned 0x0 [0090.572] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.572] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.573] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="SavRoam", dwDesiredAccess=0x10020) returned 0x0 [0090.573] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.573] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.573] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="dbsrv12", dwDesiredAccess=0x10020) returned 0x0 [0090.573] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.574] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.574] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="sqlservr", dwDesiredAccess=0x10020) returned 0x0 [0090.574] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.574] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.575] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="sqlagent", dwDesiredAccess=0x10020) returned 0x0 [0090.575] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.575] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.575] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="Intuit.QuickBooks.FCS", dwDesiredAccess=0x10020) returned 0x0 [0090.575] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.576] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.576] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="dbeng8", dwDesiredAccess=0x10020) returned 0x0 [0090.576] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.576] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.577] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="sqladhlp", dwDesiredAccess=0x10020) returned 0x0 [0090.577] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.577] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.577] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="QBIDPService", dwDesiredAccess=0x10020) returned 0x0 [0090.577] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.578] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.578] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="Culserver", dwDesiredAccess=0x10020) returned 0x0 [0090.578] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.578] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.579] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="RTVscan", dwDesiredAccess=0x10020) returned 0x0 [0090.579] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.579] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.579] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="vmware-usbarbitator64", dwDesiredAccess=0x10020) returned 0x0 [0090.580] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.580] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.580] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="vmware-converter", dwDesiredAccess=0x10020) returned 0x0 [0090.580] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.580] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.581] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="VMAuthdService", dwDesiredAccess=0x10020) returned 0x0 [0090.581] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.581] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.581] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="VMnetDHCP", dwDesiredAccess=0x10020) returned 0x0 [0090.582] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.582] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.582] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="VMUSBArbService", dwDesiredAccess=0x10020) returned 0x0 [0090.582] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.582] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.583] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="VMwareHostd", dwDesiredAccess=0x10020) returned 0x0 [0090.583] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.583] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.583] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="sqlbrowser", dwDesiredAccess=0x10020) returned 0x0 [0090.584] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.584] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.584] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="SQLADHLP", dwDesiredAccess=0x10020) returned 0x0 [0090.584] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.584] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.585] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="sqlwriter", dwDesiredAccess=0x10020) returned 0x0 [0090.585] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.585] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.585] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="msmdsrv", dwDesiredAccess=0x10020) returned 0x0 [0090.586] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.586] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.586] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="tomcat6", dwDesiredAccess=0x10020) returned 0x0 [0090.586] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.586] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x2c6e410 [0090.587] OpenServiceW (hSCManager=0x2c6e410, lpServiceName="QBCFMonitorService", dwDesiredAccess=0x10020) returned 0x0 [0090.587] CloseServiceHandle (hSCObject=0x2c6e410) returned 1 [0090.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x288) returned 0x2c56178 [0090.587] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e438 [0090.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e410 [0090.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e3e8 [0090.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98d28 [0090.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e460 [0090.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e488 [0090.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e4b0 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e4d8 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e500 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98d60 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e528 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e550 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e578 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e5a0 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e5c8 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e5f0 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e618 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e640 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e668 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98d98 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e690 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e6b8 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e6e0 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e708 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e730 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e758 [0090.589] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e780 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x288) returned 0x2c56408 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e7a8 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e7d0 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e7f8 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98dd0 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e820 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e848 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e870 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e898 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e8c0 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e08 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e8e8 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e910 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e938 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e960 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e988 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e9b0 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6e9d8 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6ea00 [0090.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6ea28 [0090.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e40 [0090.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6ea50 [0090.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6ea78 [0090.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eaa0 [0090.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eac8 [0090.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eaf0 [0090.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb18 [0090.591] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb40 [0090.591] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0090.599] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0090.600] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.600] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.600] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0090.601] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0090.602] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.603] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.603] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.613] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.614] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.614] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0090.615] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.615] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.615] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.617] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.617] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.617] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0090.618] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.618] GetLastError () returned 0x424 [0090.618] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0090.621] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.621] GetLastError () returned 0x424 [0090.621] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0090.622] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.622] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.622] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0090.623] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.624] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.625] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.625] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.626] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.626] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.626] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.627] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.628] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.628] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.629] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.629] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.630] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.631] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.631] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.631] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.632] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.632] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.632] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0090.633] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.633] GetLastError () returned 0x424 [0090.633] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0090.637] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.638] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.638] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.638] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0090.639] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.640] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.640] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0090.641] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.641] GetLastError () returned 0x424 [0090.641] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.642] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.642] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.642] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0090.643] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.643] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.643] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0090.645] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.645] GetLastError () returned 0x424 [0090.645] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x464, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0090.646] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.646] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.646] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.647] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.647] GetLastError () returned 0x424 [0090.647] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.648] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.648] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.648] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0090.649] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.649] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.649] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0090.650] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.650] GetLastError () returned 0x424 [0090.650] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x110, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0090.651] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.651] GetLastError () returned 0x424 [0090.651] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="husband medical trial.exe")) returned 1 [0090.652] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c968b8 [0090.653] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c968b8 | out: hHeap=0x470000) returned 1 [0090.653] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="dinner-professional.exe")) returned 1 [0090.653] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.654] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.654] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="beat.exe")) returned 1 [0090.655] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.655] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.655] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="staff sure.exe")) returned 1 [0090.656] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.656] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.656] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="two-stand.exe")) returned 1 [0090.657] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.657] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="official.exe")) returned 1 [0090.658] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.658] GetLastError () returned 0x424 [0090.658] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="international.exe")) returned 1 [0090.659] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.659] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.659] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="should_get_trial.exe")) returned 1 [0090.660] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.661] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.661] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="keeptripunderstand.exe")) returned 1 [0090.662] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.662] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.662] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="measure parent share.exe")) returned 1 [0090.663] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c968b8 [0090.663] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c968b8 | out: hHeap=0x470000) returned 1 [0090.663] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="past-behind-last.exe")) returned 1 [0090.665] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.665] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.665] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="decade.exe")) returned 1 [0090.666] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.666] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.666] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="electionbill.exe")) returned 1 [0090.667] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.668] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.668] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="former.exe")) returned 1 [0090.669] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.669] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.669] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="reason.exe")) returned 1 [0090.670] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.670] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="mind_situation_season.exe")) returned 1 [0090.671] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c968b8 [0090.672] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c968b8 | out: hHeap=0x470000) returned 1 [0090.672] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0090.672] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.673] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.673] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0090.674] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.674] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.674] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0090.676] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.676] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.676] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0090.677] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.678] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.678] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0090.679] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.679] GetLastError () returned 0x424 [0090.679] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0090.680] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.681] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.683] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0090.684] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0090.685] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.686] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.686] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0090.687] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.687] GetLastError () returned 0x424 [0090.687] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0090.688] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.689] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.689] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0090.690] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.690] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.691] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0090.692] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.692] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.692] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0090.694] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0090.695] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.695] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.695] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0090.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.697] GetLastError () returned 0x424 [0090.697] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0090.698] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.699] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.699] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0090.700] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.701] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.701] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0090.702] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.703] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.703] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0090.704] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.704] GetLastError () returned 0x424 [0090.704] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0090.705] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.705] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.706] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0090.707] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.707] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0090.708] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.709] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.709] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0090.710] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.711] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.711] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0090.713] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.713] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.713] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0090.714] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.714] GetLastError () returned 0x424 [0090.714] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0090.715] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.715] GetLastError () returned 0x424 [0090.716] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0090.717] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.717] GetLastError () returned 0x424 [0090.717] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0090.718] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.718] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.718] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0090.719] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.720] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.720] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0090.721] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.721] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.721] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0090.722] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.722] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.722] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0090.724] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.724] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.724] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0090.726] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.726] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.726] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0090.727] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.728] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.728] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0090.732] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.733] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.733] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0090.734] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.734] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0090.735] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.736] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.736] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0090.737] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.737] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.737] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0090.739] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.739] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0090.740] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.740] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.740] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0090.742] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.742] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.742] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0090.743] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.743] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.744] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0090.745] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.746] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.746] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="nothing_ok.exe")) returned 1 [0090.747] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.747] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.747] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="building.exe")) returned 1 [0090.749] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.749] GetLastError () returned 0x424 [0090.749] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x878, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="nation-lead-song.exe")) returned 1 [0090.750] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.750] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.750] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="student-close.exe")) returned 1 [0090.751] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2c98e78 [0090.752] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c98e78 | out: hHeap=0x470000) returned 1 [0090.752] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x888, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="although.exe")) returned 1 [0090.753] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.753] GetLastError () returned 0x424 [0090.753] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.754] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.754] GetLastError () returned 0x424 [0090.755] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0090.756] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.756] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.756] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0090.757] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.758] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.758] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0090.759] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6eb68 [0090.759] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0090.760] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="Avaddon_09_06_2020_1054KB.exe")) returned 1 [0090.761] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c968b8 [0090.761] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c968b8 | out: hHeap=0x470000) returned 1 [0090.761] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="Avaddon_09_06_2020_1054KB.exe")) returned 0 [0090.762] CloseHandle (hObject=0x510) returned 1 [0090.762] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0090.766] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0090.767] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0090.768] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0090.769] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.770] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0090.771] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.772] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0090.773] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0090.774] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0090.776] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0090.777] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.778] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.779] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.780] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.781] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.782] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.783] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0090.784] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0090.785] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.786] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0090.787] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0090.788] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.789] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0090.790] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0090.791] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x464, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0090.792] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.793] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.794] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0090.795] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0090.796] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x110, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0090.797] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="husband medical trial.exe")) returned 1 [0090.798] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="dinner-professional.exe")) returned 1 [0090.799] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="beat.exe")) returned 1 [0090.800] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="staff sure.exe")) returned 1 [0090.801] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="two-stand.exe")) returned 1 [0090.802] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="official.exe")) returned 1 [0090.803] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="international.exe")) returned 1 [0090.804] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="should_get_trial.exe")) returned 1 [0090.805] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="keeptripunderstand.exe")) returned 1 [0090.806] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="measure parent share.exe")) returned 1 [0090.807] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="past-behind-last.exe")) returned 1 [0090.808] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="decade.exe")) returned 1 [0090.809] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="electionbill.exe")) returned 1 [0090.810] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="former.exe")) returned 1 [0090.811] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="reason.exe")) returned 1 [0090.812] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="mind_situation_season.exe")) returned 1 [0090.813] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0090.814] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0090.815] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0090.816] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0090.817] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0090.818] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0090.819] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0090.820] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0090.821] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0090.823] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0090.824] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0090.825] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0090.826] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0090.827] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0090.829] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0090.830] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0090.832] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0090.833] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0090.834] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0090.836] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0090.840] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0090.842] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0090.843] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0090.844] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0090.845] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0090.847] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0090.848] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0090.849] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0090.851] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0090.852] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0090.853] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0090.855] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0090.856] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0090.857] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0090.858] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0090.860] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0090.861] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0090.862] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0090.863] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0090.864] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0090.866] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0090.867] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0090.874] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0090.876] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="nothing_ok.exe")) returned 1 [0090.877] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x87c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="building.exe")) returned 1 [0090.878] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x878, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="nation-lead-song.exe")) returned 1 [0090.879] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="student-close.exe")) returned 1 [0090.880] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x888, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="although.exe")) returned 1 [0090.881] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.882] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0090.883] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0090.889] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0090.890] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="Avaddon_09_06_2020_1054KB.exe")) returned 1 [0090.891] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="Avaddon_09_06_2020_1054KB.exe")) returned 0 [0090.892] CloseHandle (hObject=0x510) returned 1 [0090.892] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0090.896] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0090.897] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0090.898] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0090.899] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.901] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0090.902] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.903] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0090.904] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0090.905] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0090.906] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0090.907] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.908] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.909] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.909] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.910] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.911] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.912] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0090.913] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0090.914] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.947] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0090.948] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0090.949] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.950] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0090.951] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0090.952] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x464, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0090.953] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.954] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.955] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x46c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0090.956] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0090.957] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x110, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0090.958] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="husband medical trial.exe")) returned 1 [0090.959] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="dinner-professional.exe")) returned 1 [0090.960] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="beat.exe")) returned 1 [0090.961] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="staff sure.exe")) returned 1 [0090.963] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="two-stand.exe")) returned 1 [0090.964] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="official.exe")) returned 1 [0090.965] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="international.exe")) returned 1 [0090.966] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="should_get_trial.exe")) returned 1 [0090.967] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="keeptripunderstand.exe")) returned 1 [0090.968] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="measure parent share.exe")) returned 1 [0090.969] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="past-behind-last.exe")) returned 1 [0090.970] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="decade.exe")) returned 1 [0090.971] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="electionbill.exe")) returned 1 [0090.971] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="former.exe")) returned 1 [0090.972] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="reason.exe")) returned 1 [0090.973] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="mind_situation_season.exe")) returned 1 [0090.974] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0090.975] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0090.976] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0090.978] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0090.979] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0090.980] Process32NextW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0091.033] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.038] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.126] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.131] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.205] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.210] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.282] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.286] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.347] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.353] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.430] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.435] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.503] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.509] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.567] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.572] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.625] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.629] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.685] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.689] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.740] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.745] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.796] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.801] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.815] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0091.815] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0091.816] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0091.816] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6eb68 | out: hHeap=0x470000) returned 1 [0091.817] GetLastError () returned 0x12 [0091.871] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.875] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.932] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0091.936] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.998] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.003] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.060] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.065] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.129] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.136] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.197] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.202] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.264] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.268] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.337] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.342] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.468] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.475] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.538] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.543] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.610] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.615] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.679] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x510 [0092.684] Process32FirstW (in: hSnapshot=0x510, lppe=0x3af118 | out: lppe=0x3af118*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.783] WaitForSingleObject (hHandle=0x508, dwMilliseconds=0xffffffff) returned 0x0 [0096.779] CloseHandle (hObject=0x510) returned 1 [0096.779] CloseHandle (hObject=0x508) returned 1 [0096.779] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c85c48 | out: hHeap=0x470000) returned 1 [0096.779] GetLastError () returned 0x12 [0096.803] WaitForSingleObject (hHandle=0x510, dwMilliseconds=0xffffffff) returned 0x0 [0098.533] CloseHandle (hObject=0x508) returned 1 [0098.533] CloseHandle (hObject=0x510) returned 1 [0098.534] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c85c48 | out: hHeap=0x470000) returned 1 [0098.534] GetLastError () returned 0x2 [0098.548] WaitForSingleObject (hHandle=0x508, dwMilliseconds=0xffffffff) returned 0x0 [0099.858] CloseHandle (hObject=0x510) returned 1 [0099.858] CloseHandle (hObject=0x508) returned 1 [0099.858] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c85c48 | out: hHeap=0x470000) returned 1 [0099.858] GetLastError () returned 0x2 [0099.865] WaitForSingleObject (hHandle=0x510, dwMilliseconds=0xffffffff) returned 0x0 [0100.119] CloseHandle (hObject=0x508) returned 1 [0100.119] CloseHandle (hObject=0x510) returned 1 [0100.119] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c85c48 | out: hHeap=0x470000) returned 1 [0100.119] GetLastError () returned 0x2 [0100.129] WaitForSingleObject (hHandle=0x508, dwMilliseconds=0xffffffff) returned 0x0 [0100.707] CloseHandle (hObject=0x510) returned 1 [0100.707] CloseHandle (hObject=0x508) returned 1 [0100.708] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c85c48 | out: hHeap=0x470000) returned 1 [0100.708] GetLastError () returned 0x2 [0100.715] WaitForSingleObject (hHandle=0x510, dwMilliseconds=0xffffffff) returned 0x0 [0101.008] CloseHandle (hObject=0x508) returned 1 [0101.008] CloseHandle (hObject=0x510) returned 1 [0101.008] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c85c48 | out: hHeap=0x470000) returned 1 [0101.014] SHEmptyRecycleBinW (hwnd=0x0, pszRootPath=0x0, dwFlags=0x7) returned 0x8000ffff [0102.807] GetLastError () returned 0x0 [0102.807] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2c6ecd0 [0102.807] GetLastError () returned 0x0 [0102.807] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca57b8 [0102.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x2ca57b8, cbMultiByte=23, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 23 [0102.807] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb28 [0102.807] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x2ca57b8, cbMultiByte=23, lpWideCharStr=0x2cbbb28, cchWideChar=23 | out: lpWideCharStr="EnableLinkedConnections") returned 23 [0102.808] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c6ecd0 | out: hHeap=0x470000) returned 1 [0102.808] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca57b8 | out: hHeap=0x470000) returned 1 [0102.808] GetLastError () returned 0x0 [0102.808] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca57b8 [0102.808] GetLastError () returned 0x0 [0102.809] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb60 [0102.809] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca57b8 | out: hHeap=0x470000) returned 1 [0102.809] GetLastError () returned 0x0 [0102.809] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x2c8a110 [0102.809] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb60 | out: hHeap=0x470000) returned 1 [0102.809] GetLastError () returned 0x0 [0102.809] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca57b8 [0102.809] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb60 [0102.810] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca57b8 | out: hHeap=0x470000) returned 1 [0102.810] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x47) returned 0x2c8a160 [0102.810] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb60 | out: hHeap=0x470000) returned 1 [0102.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x2c8a160, cbMultiByte=57, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 57 [0102.810] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0102.810] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x2c8a160, cbMultiByte=57, lpWideCharStr=0x4d54b0, cchWideChar=57 | out: lpWideCharStr="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0102.810] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0102.811] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a160 | out: hHeap=0x470000) returned 1 [0102.811] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", ulOptions=0x0, samDesired=0xf003f, phkResult=0x3af354 | out: phkResult=0x3af354*=0x528) returned 0x0 [0102.811] RegSetValueExW (in: hKey=0x528, lpValueName="EnableLinkedConnections", Reserved=0x0, dwType=0x4, lpData=0x3af350*=0x1, cbData=0x4 | out: lpData=0x3af350*=0x1) returned 0x0 [0102.815] RegCloseKey (hKey=0x528) returned 0x0 [0102.816] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0102.816] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb28 | out: hHeap=0x470000) returned 1 [0102.816] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb28 [0102.816] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0102.816] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0102.817] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0102.817] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0102.817] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8da8 [0102.817] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8e10 [0102.817] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8da8 | out: hHeap=0x470000) returned 1 [0102.817] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8da8 [0102.817] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xb0) returned 0x2c26958 [0102.817] RtlInitializeConditionVariable () returned 0x2c26974 [0102.817] RtlInitializeConditionVariable () returned 0x2c269a0 [0102.817] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8e78 [0102.817] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34) returned 0x2c5f790 [0102.817] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8ee0 [0102.818] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8e78 | out: hHeap=0x470000) returned 1 [0102.818] InitOnceExecuteOnce (in: InitOnce=0x12609a4, InitFn=0x116b2b0, Parameter=0x3af1b0, Context=0x0 | out: InitOnce=0x12609a4, Parameter=0x3af1b0, Context=0x0) returned 1 [0102.818] RtlWakeAllConditionVariable () returned 0x0 [0102.818] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x110) returned 0x4c66e8 [0102.818] RtlInitializeConditionVariable () returned 0x4c6714 [0102.818] RtlInitializeConditionVariable () returned 0x4c674c [0102.818] RtlInitializeConditionVariable () returned 0x4c6778 [0102.818] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x2cbe3c0 [0102.818] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x2c9a008 [0102.818] CreateThreadpoolWork (in: pfnwk=0x118f37f, pv=0x2c9a008, pcbe=0x0 | out: pv=0x2c9a008) returned 0x4dc160 [0102.819] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x3af0b8 | out: phModule=0x3af0b8*=0x1160000) returned 1 [0102.819] TpPostWork () returned 0x0 [0102.819] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8da8 | out: hHeap=0x470000) returned 1 [0102.819] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8e10 | out: hHeap=0x470000) returned 1 [0102.819] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca57b8 [0102.820] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0102.820] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0102.820] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0102.820] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0102.820] GetCurrentThreadId () returned 0xae8 [0102.820] GetCurrentThreadId () returned 0xae8 [0102.820] QueryPerformanceFrequency (in: lpFrequency=0x3af174 | out: lpFrequency=0x3af174*=100000000) returned 1 [0102.820] QueryPerformanceCounter (in: lpPerformanceCount=0x3af174 | out: lpPerformanceCount=0x3af174*=1564612364148) returned 1 [0102.820] QueryPerformanceFrequency (in: lpFrequency=0x3af174 | out: lpFrequency=0x3af174*=100000000) returned 1 [0102.820] QueryPerformanceCounter (in: lpPerformanceCount=0x3af174 | out: lpPerformanceCount=0x3af174*=1564612377699) returned 1 [0102.820] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af174 | out: lpSystemTimeAsFileTime=0x3af174*(dwLowDateTime=0x543660a0, dwHighDateTime=0x1d7fb45)) [0102.820] GetCurrentThreadId () returned 0xae8 [0102.820] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af110 | out: lpSystemTimeAsFileTime=0x3af110*(dwLowDateTime=0x543660a0, dwHighDateTime=0x1d7fb45)) [0102.820] SleepConditionVariableSRW (in: ConditionVariable=0x2c269a0, SRWLock=0x2c26974, dwMilliseconds=0x1, Flags=0x0 | out: ConditionVariable=0x2c269a0, SRWLock=0x2c26974) returned 1 [0102.826] GetCurrentThreadId () returned 0xae8 [0102.826] GetCurrentThreadId () returned 0xae8 [0102.826] GetCurrentThreadId () returned 0xae8 [0102.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c66e8 | out: hHeap=0x470000) returned 1 [0102.827] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8ee0 | out: hHeap=0x470000) returned 1 [0102.827] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5f790 | out: hHeap=0x470000) returned 1 [0102.827] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c26958 | out: hHeap=0x470000) returned 1 [0102.827] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0102.827] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0102.827] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e9e8 [0102.827] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5ea60 [0102.828] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e9e8 | out: hHeap=0x470000) returned 1 [0102.828] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e9e8 [0102.828] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xb0) returned 0x2c26958 [0102.828] RtlInitializeConditionVariable () returned 0x2c26974 [0102.828] RtlInitializeConditionVariable () returned 0x2c269a0 [0102.828] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5ead8 [0102.828] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34) returned 0x2c5f790 [0102.828] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0102.828] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5ead8 | out: hHeap=0x470000) returned 1 [0102.828] InitOnceExecuteOnce (in: InitOnce=0x12609a4, InitFn=0x116b2b0, Parameter=0x3af1b0, Context=0x0 | out: InitOnce=0x12609a4, Parameter=0x3af1b0, Context=0x0) returned 1 [0102.828] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x110) returned 0x4c66e8 [0102.828] RtlInitializeConditionVariable () returned 0x4c6714 [0102.828] RtlInitializeConditionVariable () returned 0x4c674c [0102.828] RtlInitializeConditionVariable () returned 0x4c6778 [0102.828] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4c54a8 [0102.829] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x2c9a008 [0102.829] CreateThreadpoolWork (in: pfnwk=0x118f37f, pv=0x2c9a008, pcbe=0x0 | out: pv=0x2c9a008) returned 0x4dc160 [0102.829] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x3af0b8 | out: phModule=0x3af0b8*=0x1160000) returned 1 [0102.829] TpPostWork () returned 0x0 [0102.829] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e9e8 | out: hHeap=0x470000) returned 1 [0102.830] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5ea60 | out: hHeap=0x470000) returned 1 [0102.830] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0102.830] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9c90 [0102.830] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9d40 [0102.830] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9c90 | out: hHeap=0x470000) returned 1 [0102.830] GetCurrentThreadId () returned 0xae8 [0102.830] GetCurrentThreadId () returned 0xae8 [0102.830] QueryPerformanceFrequency (in: lpFrequency=0x3af174 | out: lpFrequency=0x3af174*=100000000) returned 1 [0102.831] QueryPerformanceCounter (in: lpPerformanceCount=0x3af174 | out: lpPerformanceCount=0x3af174*=1564613416449) returned 1 [0102.831] QueryPerformanceFrequency (in: lpFrequency=0x3af174 | out: lpFrequency=0x3af174*=100000000) returned 1 [0102.831] QueryPerformanceCounter (in: lpPerformanceCount=0x3af174 | out: lpPerformanceCount=0x3af174*=1564613434702) returned 1 [0102.831] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af174 | out: lpSystemTimeAsFileTime=0x3af174*(dwLowDateTime=0x543660a0, dwHighDateTime=0x1d7fb45)) [0102.831] GetCurrentThreadId () returned 0xae8 [0102.831] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af110 | out: lpSystemTimeAsFileTime=0x3af110*(dwLowDateTime=0x543660a0, dwHighDateTime=0x1d7fb45)) [0102.831] SleepConditionVariableSRW (in: ConditionVariable=0x2c269a0, SRWLock=0x2c26974, dwMilliseconds=0x1, Flags=0x0 | out: ConditionVariable=0x2c269a0, SRWLock=0x2c26974) returned 1 [0102.834] GetCurrentThreadId () returned 0xae8 [0102.834] GetCurrentThreadId () returned 0xae8 [0102.834] GetCurrentThreadId () returned 0xae8 [0102.835] SleepConditionVariableSRW (in: ConditionVariable=0x4c674c, SRWLock=0x4c6778, dwMilliseconds=0xffffffff, Flags=0x0 | out: ConditionVariable=0x4c674c, SRWLock=0x4c6778) returned 1 [0102.835] GetCurrentThreadId () returned 0xae8 [0102.836] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0102.836] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5f790 | out: hHeap=0x470000) returned 1 [0102.836] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c26958 | out: hHeap=0x470000) returned 1 [0102.836] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0102.836] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9c90 [0102.836] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9d98 [0102.836] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9df0 [0102.836] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9d98 | out: hHeap=0x470000) returned 1 [0102.837] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9d98 [0102.837] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xb0) returned 0x2c26958 [0102.837] RtlInitializeConditionVariable () returned 0x2c26974 [0102.837] RtlInitializeConditionVariable () returned 0x2c269a0 [0102.837] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9e48 [0102.837] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34) returned 0x2c5f790 [0102.837] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ea0 [0102.837] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9e48 | out: hHeap=0x470000) returned 1 [0102.837] InitOnceExecuteOnce (in: InitOnce=0x12609a4, InitFn=0x116b2b0, Parameter=0x3af1b0, Context=0x0 | out: InitOnce=0x12609a4, Parameter=0x3af1b0, Context=0x0) returned 1 [0102.837] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x110) returned 0x2bdbc60 [0102.837] RtlInitializeConditionVariable () returned 0x2bdbc8c [0102.837] RtlInitializeConditionVariable () returned 0x2bdbcc4 [0102.837] RtlInitializeConditionVariable () returned 0x2bdbcf0 [0102.837] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x2cbe408 [0102.837] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x2c99e08 [0102.837] CreateThreadpoolWork (in: pfnwk=0x118f37f, pv=0x2c99e08, pcbe=0x0 | out: pv=0x2c99e08) returned 0x4dce50 [0102.838] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x3af0b8 | out: phModule=0x3af0b8*=0x1160000) returned 1 [0102.838] TpPostWork () returned 0x0 [0102.838] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9d98 | out: hHeap=0x470000) returned 1 [0102.838] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9df0 | out: hHeap=0x470000) returned 1 [0102.838] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9d40 | out: hHeap=0x470000) returned 1 [0102.838] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0102.838] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0102.839] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0102.839] GetCurrentThreadId () returned 0xae8 [0102.839] GetCurrentThreadId () returned 0xae8 [0102.839] QueryPerformanceFrequency (in: lpFrequency=0x3af174 | out: lpFrequency=0x3af174*=100000000) returned 1 [0102.839] QueryPerformanceCounter (in: lpPerformanceCount=0x3af174 | out: lpPerformanceCount=0x3af174*=1564614238537) returned 1 [0102.839] QueryPerformanceFrequency (in: lpFrequency=0x3af174 | out: lpFrequency=0x3af174*=100000000) returned 1 [0102.839] QueryPerformanceCounter (in: lpPerformanceCount=0x3af174 | out: lpPerformanceCount=0x3af174*=1564614252915) returned 1 [0102.839] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af174 | out: lpSystemTimeAsFileTime=0x3af174*(dwLowDateTime=0x5438c200, dwHighDateTime=0x1d7fb45)) [0102.839] GetCurrentThreadId () returned 0xae8 [0102.839] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af110 | out: lpSystemTimeAsFileTime=0x3af110*(dwLowDateTime=0x5438c200, dwHighDateTime=0x1d7fb45)) [0102.839] SleepConditionVariableSRW (in: ConditionVariable=0x2c269a0, SRWLock=0x2c26974, dwMilliseconds=0x1, Flags=0x0 | out: ConditionVariable=0x2c269a0, SRWLock=0x2c26974) returned 1 [0102.841] GetCurrentThreadId () returned 0xae8 [0102.841] GetCurrentThreadId () returned 0xae8 [0102.841] GetCurrentThreadId () returned 0xae8 [0102.842] SleepConditionVariableSRW (in: ConditionVariable=0x2bdbcc4, SRWLock=0x2bdbcf0, dwMilliseconds=0xffffffff, Flags=0x0 | out: ConditionVariable=0x2bdbcc4, SRWLock=0x2bdbcf0) returned 1 [0102.843] GetCurrentThreadId () returned 0xae8 [0102.843] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ea0 | out: hHeap=0x470000) returned 1 [0102.843] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5f790 | out: hHeap=0x470000) returned 1 [0102.843] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c26958 | out: hHeap=0x470000) returned 1 [0102.843] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9c90 | out: hHeap=0x470000) returned 1 [0102.843] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0102.843] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8da8 [0102.843] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8e10 [0102.844] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8da8 | out: hHeap=0x470000) returned 1 [0102.844] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8da8 [0102.844] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xb0) returned 0x2c26958 [0102.844] RtlInitializeConditionVariable () returned 0x2c26974 [0102.844] RtlInitializeConditionVariable () returned 0x2c269a0 [0102.844] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8e78 [0102.844] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34) returned 0x2c5f790 [0102.844] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2ca8ee0 [0102.844] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8e78 | out: hHeap=0x470000) returned 1 [0102.844] InitOnceExecuteOnce (in: InitOnce=0x12609a4, InitFn=0x116b2b0, Parameter=0x3af1b0, Context=0x0 | out: InitOnce=0x12609a4, Parameter=0x3af1b0, Context=0x0) returned 1 [0102.844] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x110) returned 0x4c66e8 [0102.844] RtlInitializeConditionVariable () returned 0x4c6714 [0102.844] RtlInitializeConditionVariable () returned 0x4c674c [0102.844] RtlInitializeConditionVariable () returned 0x4c6778 [0102.844] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4c54a8 [0102.844] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x2c9a008 [0102.844] CreateThreadpoolWork (in: pfnwk=0x118f37f, pv=0x2c9a008, pcbe=0x0 | out: pv=0x2c9a008) returned 0x4dc160 [0102.845] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x3af0b8 | out: phModule=0x3af0b8*=0x1160000) returned 1 [0102.845] TpPostWork () returned 0x0 [0102.845] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8da8 | out: hHeap=0x470000) returned 1 [0102.845] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8e10 | out: hHeap=0x470000) returned 1 [0102.845] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0102.845] GetLogicalDrives () returned 0x4 [0102.845] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d33b0 [0102.845] WNetGetConnectionW (in: lpLocalName="A:", lpRemoteName=0x4d33b0, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.847] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d33b0 | out: hHeap=0x470000) returned 1 [0102.847] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d33b0 [0102.847] WNetGetConnectionW (in: lpLocalName="B:", lpRemoteName=0x4d33b0, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.848] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d33b0 | out: hHeap=0x470000) returned 1 [0102.848] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d33b0 [0102.848] WNetGetConnectionW (in: lpLocalName="C:", lpRemoteName=0x4d33b0, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.848] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x2c99e48 [0102.848] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.848] WNetGetConnectionW (in: lpLocalName="D:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.849] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.849] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.850] WNetGetConnectionW (in: lpLocalName="E:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.851] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.851] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.851] WNetGetConnectionW (in: lpLocalName="F:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.852] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.852] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.852] WNetGetConnectionW (in: lpLocalName="G:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.852] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.852] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.853] WNetGetConnectionW (in: lpLocalName="H:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.853] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.853] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.854] WNetGetConnectionW (in: lpLocalName="I:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.854] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.854] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.854] WNetGetConnectionW (in: lpLocalName="J:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.855] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.855] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.855] WNetGetConnectionW (in: lpLocalName="K:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.856] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.856] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.856] WNetGetConnectionW (in: lpLocalName="L:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.857] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.857] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.857] WNetGetConnectionW (in: lpLocalName="M:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.858] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.858] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.858] WNetGetConnectionW (in: lpLocalName="N:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.859] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.859] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.859] WNetGetConnectionW (in: lpLocalName="O:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.860] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.860] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.860] WNetGetConnectionW (in: lpLocalName="P:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.861] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.861] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.861] WNetGetConnectionW (in: lpLocalName="Q:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.862] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.862] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.862] WNetGetConnectionW (in: lpLocalName="R:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.863] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.863] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.863] WNetGetConnectionW (in: lpLocalName="S:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.864] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.864] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.864] WNetGetConnectionW (in: lpLocalName="T:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.864] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.865] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.865] WNetGetConnectionW (in: lpLocalName="U:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.866] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.866] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.866] WNetGetConnectionW (in: lpLocalName="V:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.867] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.867] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.867] WNetGetConnectionW (in: lpLocalName="W:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.868] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.868] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.868] WNetGetConnectionW (in: lpLocalName="X:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.869] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.869] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.869] WNetGetConnectionW (in: lpLocalName="Y:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.870] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.870] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x210) returned 0x4d3188 [0102.870] WNetGetConnectionW (in: lpLocalName="Z:", lpRemoteName=0x4d3188, lpnLength=0x3af2c8 | out: lpRemoteName="", lpnLength=0x3af2c8) returned 0x8ca [0102.871] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d3188 | out: hHeap=0x470000) returned 1 [0102.871] GetCurrentThreadId () returned 0xae8 [0102.871] GetCurrentThreadId () returned 0xae8 [0102.871] QueryPerformanceFrequency (in: lpFrequency=0x3af1c8 | out: lpFrequency=0x3af1c8*=100000000) returned 1 [0102.871] QueryPerformanceCounter (in: lpPerformanceCount=0x3af1c8 | out: lpPerformanceCount=0x3af1c8*=1564617455478) returned 1 [0102.871] QueryPerformanceFrequency (in: lpFrequency=0x3af1c8 | out: lpFrequency=0x3af1c8*=100000000) returned 1 [0102.871] QueryPerformanceCounter (in: lpPerformanceCount=0x3af1c8 | out: lpPerformanceCount=0x3af1c8*=1564617469908) returned 1 [0102.871] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af1c8 | out: lpSystemTimeAsFileTime=0x3af1c8*(dwLowDateTime=0x543d84c0, dwHighDateTime=0x1d7fb45)) [0102.871] GetCurrentThreadId () returned 0xae8 [0102.871] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3af164 | out: lpSystemTimeAsFileTime=0x3af164*(dwLowDateTime=0x543d84c0, dwHighDateTime=0x1d7fb45)) [0102.871] SleepConditionVariableSRW (in: ConditionVariable=0x2c269a0, SRWLock=0x2c26974, dwMilliseconds=0x1, Flags=0x0 | out: ConditionVariable=0x2c269a0, SRWLock=0x2c26974) returned 1 [0102.941] GetCurrentThreadId () returned 0xae8 [0102.941] GetCurrentThreadId () returned 0xae8 [0102.941] GetCurrentThreadId () returned 0xae8 [0102.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c66e8 | out: hHeap=0x470000) returned 1 [0102.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8ee0 | out: hHeap=0x470000) returned 1 [0102.943] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5f790 | out: hHeap=0x470000) returned 1 [0102.944] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c26958 | out: hHeap=0x470000) returned 1 [0102.944] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0102.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xb0) returned 0x2c26958 [0102.944] RtlInitializeConditionVariable () returned 0x2c26974 [0102.944] RtlInitializeConditionVariable () returned 0x2c269a0 [0102.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34) returned 0x2c5f790 [0102.944] InitOnceExecuteOnce (in: InitOnce=0x12609a4, InitFn=0x116b2b0, Parameter=0x3af204, Context=0x0 | out: InitOnce=0x12609a4, Parameter=0x3af204, Context=0x0) returned 1 [0102.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x110) returned 0x4c66e8 [0102.944] RtlInitializeConditionVariable () returned 0x4c6714 [0102.944] RtlInitializeConditionVariable () returned 0x4c674c [0102.944] RtlInitializeConditionVariable () returned 0x4c6778 [0102.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x2cbe3c0 [0102.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x2c9a008 [0102.944] CreateThreadpoolWork (in: pfnwk=0x118f37f, pv=0x2c9a008, pcbe=0x0 | out: pv=0x2c9a008) returned 0x4dc160 [0102.945] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x3af10c | out: phModule=0x3af10c*=0x1160000) returned 1 [0102.945] TpPostWork () returned 0x0 [0102.945] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x3aefdc | out: lpWSAData=0x3aefdc) returned 0 [0102.945] gethostname (in: name=0x3af190, namelen=260 | out: name="Q9iATrkPrH") returned 0 [0103.615] gethostbyname (name="Q9iATrkPrH") returned 0x2cbbbd0*(h_name="Q9iATrkPrH", h_aliases=0x2cbbbe0*=0x0, h_addrtype=2, h_length=4, h_addr_list=0x2cbbbe4*=([0]="192.168.0.129")) [0103.662] inet_ntoa (in=0x8100a8c0) returned="192.168.0.129" [0103.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3aefb8, cbMultiByte=13, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 13 [0103.662] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca5d08 [0103.662] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x3aefb8, cbMultiByte=13, lpWideCharStr=0x2ca5d08, cchWideChar=13 | out: lpWideCharStr="192.168.0.129") returned 13 [0103.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.129", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0103.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.129", cchWideChar=13, lpMultiByteStr=0x3aef00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="192.168.0.129", lpUsedDefaultChar=0x0) returned 13 [0103.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.129", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0103.662] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.129", cchWideChar=13, lpMultiByteStr=0x3aef00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="192.168.0.129", lpUsedDefaultChar=0x0) returned 13 [0103.663] inet_addr (cp="192.168.0.129") returned 0x8100a8c0 [0103.663] inet_addr (cp="192.168.0.129") returned 0x8100a8c0 [0103.663] SendARP (in: DestIP=0x8100a8c0, SrcIP=0x8100a8c0, pMacAddr=0x3aef84, PhyAddrLen=0x3aef68 | out: pMacAddr=0x3aef84, PhyAddrLen=0x3aef68) returned 0x0 [0103.664] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x2c9b7e8 [0103.664] WSACleanup () returned 0 [0103.664] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f8e90 [0103.664] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xb0) returned 0x2c26a10 [0103.664] RtlInitializeConditionVariable () returned 0x2c26a2c [0103.664] RtlInitializeConditionVariable () returned 0x2c26a58 [0103.664] InitOnceExecuteOnce (in: InitOnce=0x12609a4, InitFn=0x116b2b0, Parameter=0x3af220, Context=0x0 | out: InitOnce=0x12609a4, Parameter=0x3af220, Context=0x0) returned 1 [0103.665] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x110) returned 0x2bdbc60 [0103.665] RtlInitializeConditionVariable () returned 0x2bdbc8c [0103.665] RtlInitializeConditionVariable () returned 0x2bdbcc4 [0103.665] RtlInitializeConditionVariable () returned 0x2bdbcf0 [0103.665] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x2cbe558 [0103.665] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x2c99e08 [0103.665] CreateThreadpoolWork (in: pfnwk=0x118f37f, pv=0x2c99e08, pcbe=0x0 | out: pv=0x2c99e08) returned 0x4dce50 [0103.665] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x3af128 | out: phModule=0x3af128*=0x1160000) returned 1 [0103.665] TpPostWork () returned 0x0 [0103.665] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x2c3f8c8 [0103.665] GetCurrentThreadId () returned 0xae8 [0103.665] GetCurrentThreadId () returned 0xae8 [0103.666] SleepConditionVariableSRW (ConditionVariable=0x2bdbcc4, SRWLock=0x2bdbcf0, dwMilliseconds=0xffffffff, Flags=0x0) Thread: id = 2 os_tid = 0x8f0 Thread: id = 3 os_tid = 0x8f4 Thread: id = 4 os_tid = 0x8f8 [0103.667] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x27cfd88 | out: phModule=0x27cfd88*=0x1160000) returned 1 [0103.700] GetCurrentThreadId () returned 0x8f8 [0103.701] GetCurrentThreadId () returned 0x8f8 [0103.701] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x27cfdac | out: phModule=0x27cfdac*=0x1160000) returned 1 [0103.701] GetCurrentThreadId () returned 0x8f8 [0103.701] GetCurrentThreadId () returned 0x8f8 [0103.701] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc08 [0103.701] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f8e40 [0103.701] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f8eb8 [0103.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.1", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0103.701] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.1", cchWideChar=11, lpMultiByteStr=0x27cfb80, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="192.168.0.1", lpUsedDefaultChar=0x0) returned 11 [0103.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.129", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0103.702] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.129", cchWideChar=13, lpMultiByteStr=0x27cfb80, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="192.168.0.129", lpUsedDefaultChar=0x0) returned 13 [0103.702] inet_addr (cp="192.168.0.129") returned 0x8100a8c0 [0103.702] inet_addr (cp="192.168.0.1") returned 0x100a8c0 [0103.702] SendARP (in: DestIP=0x100a8c0, SrcIP=0x8100a8c0, pMacAddr=0x27cfc00, PhyAddrLen=0x27cfbe4 | out: pMacAddr=0x27cfc00, PhyAddrLen=0x27cfbe4) returned 0x0 [0103.754] NetShareEnum (servername="192.168.0.1", level=0x1, bufptr=0x27cfbd4, prefmaxlen=0xffffffff, entriesread=0x27cfbf8, totalentries=0x27cfbd8, resume_handle=0x27cfbdc) Thread: id = 5 os_tid = 0x860 Thread: id = 6 os_tid = 0x9e8 Thread: id = 7 os_tid = 0xaac Thread: id = 131 os_tid = 0x470 [0102.824] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350fac8 | out: phModule=0x350fac8*=0x1160000) returned 1 [0102.824] GetCurrentThreadId () returned 0x470 [0102.824] GetCurrentThreadId () returned 0x470 [0102.824] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350faec | out: phModule=0x350faec*=0x1160000) returned 1 [0102.824] GetCurrentThreadId () returned 0x470 [0102.824] GetCurrentThreadId () returned 0x470 [0102.824] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb60 [0102.824] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0102.824] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft\\Exchange Server\\*", lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0102.825] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0102.825] GetCurrentThreadId () returned 0x470 [0102.825] GetCurrentThreadId () returned 0x470 [0102.825] RtlWakeAllConditionVariable () returned 0x0 [0102.825] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb60 | out: hHeap=0x470000) returned 1 [0102.825] GetCurrentThreadId () returned 0x470 [0102.825] GetCurrentThreadId () returned 0x470 [0102.825] GetCurrentThreadId () returned 0x470 [0102.825] GetCurrentThreadId () returned 0x470 [0102.825] RtlWakeAllConditionVariable () returned 0x4c674c [0102.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbe3c0 | out: hHeap=0x470000) returned 1 [0102.826] TpReleaseWork () returned 0x0 [0102.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c9a008 | out: hHeap=0x470000) returned 1 [0102.826] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350fac8 | out: phModule=0x350fac8*=0x1160000) returned 1 [0102.826] GetCurrentThreadId () returned 0x470 [0102.826] GetCurrentThreadId () returned 0x470 [0102.826] RtlWakeAllConditionVariable () returned 0x125f75c [0102.831] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350fac8 | out: phModule=0x350fac8*=0x1160000) returned 1 [0102.832] GetCurrentThreadId () returned 0x470 [0102.832] GetCurrentThreadId () returned 0x470 [0102.832] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350faec | out: phModule=0x350faec*=0x1160000) returned 1 [0102.832] GetCurrentThreadId () returned 0x470 [0102.832] GetCurrentThreadId () returned 0x470 [0102.832] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb60 [0102.832] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0102.832] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Microsoft\\Exchange Server\\*", lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0102.833] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0102.833] GetCurrentThreadId () returned 0x470 [0102.833] GetCurrentThreadId () returned 0x470 [0102.833] RtlWakeAllConditionVariable () returned 0x0 [0102.835] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb60 | out: hHeap=0x470000) returned 1 [0102.835] GetCurrentThreadId () returned 0x470 [0102.835] GetCurrentThreadId () returned 0x470 [0102.835] GetCurrentThreadId () returned 0x470 [0102.835] GetCurrentThreadId () returned 0x470 [0102.835] RtlWakeAllConditionVariable () returned 0x0 [0102.839] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c66e8 | out: hHeap=0x470000) returned 1 [0102.839] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c54a8 | out: hHeap=0x470000) returned 1 [0102.839] TpReleaseWork () returned 0x0 [0102.840] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c9a008 | out: hHeap=0x470000) returned 1 [0102.840] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350fac8 | out: phModule=0x350fac8*=0x1160000) returned 1 [0102.840] GetCurrentThreadId () returned 0x470 [0102.840] GetCurrentThreadId () returned 0x470 [0102.840] RtlWakeAllConditionVariable () returned 0x125f75c [0102.840] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350fac8 | out: phModule=0x350fac8*=0x1160000) returned 1 [0102.840] GetCurrentThreadId () returned 0x470 [0102.840] GetCurrentThreadId () returned 0x470 [0102.840] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350faec | out: phModule=0x350faec*=0x1160000) returned 1 [0102.840] GetCurrentThreadId () returned 0x470 [0102.841] GetCurrentThreadId () returned 0x470 [0102.841] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb60 [0102.841] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9d40 [0102.841] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server\\*", lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0102.841] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9d40 | out: hHeap=0x470000) returned 1 [0102.841] GetCurrentThreadId () returned 0x470 [0102.841] GetCurrentThreadId () returned 0x470 [0102.841] RtlWakeAllConditionVariable () returned 0x0 [0102.842] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb60 | out: hHeap=0x470000) returned 1 [0102.842] GetCurrentThreadId () returned 0x470 [0102.842] GetCurrentThreadId () returned 0x470 [0102.842] GetCurrentThreadId () returned 0x470 [0102.842] GetCurrentThreadId () returned 0x470 [0102.842] RtlWakeAllConditionVariable () returned 0x0 [0102.872] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2bdbc60 | out: hHeap=0x470000) returned 1 [0102.872] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbe408 | out: hHeap=0x470000) returned 1 [0102.872] TpReleaseWork () returned 0x0 [0102.872] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c99e08 | out: hHeap=0x470000) returned 1 [0102.872] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350fac8 | out: phModule=0x350fac8*=0x1160000) returned 1 [0102.872] GetCurrentThreadId () returned 0x470 [0102.872] GetCurrentThreadId () returned 0x470 [0102.872] RtlWakeAllConditionVariable () returned 0x125f75c [0102.873] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350fac8 | out: phModule=0x350fac8*=0x1160000) returned 1 [0102.873] GetCurrentThreadId () returned 0x470 [0102.873] GetCurrentThreadId () returned 0x470 [0102.873] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350faec | out: phModule=0x350faec*=0x1160000) returned 1 [0102.873] GetCurrentThreadId () returned 0x470 [0102.873] GetCurrentThreadId () returned 0x470 [0102.873] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb60 [0102.873] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0102.873] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Microsoft SQL Server\\*", lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0102.874] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0102.874] GetCurrentThreadId () returned 0x470 [0102.874] GetCurrentThreadId () returned 0x470 [0102.874] RtlWakeAllConditionVariable () returned 0x0 [0102.874] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb60 | out: hHeap=0x470000) returned 1 [0102.874] GetCurrentThreadId () returned 0x470 [0102.874] GetCurrentThreadId () returned 0x470 [0102.874] GetCurrentThreadId () returned 0x470 [0102.874] GetCurrentThreadId () returned 0x470 [0102.874] RtlWakeAllConditionVariable () returned 0x4c674c [0102.875] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c54a8 | out: hHeap=0x470000) returned 1 [0102.875] TpReleaseWork () returned 0x0 [0102.875] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c9a008 | out: hHeap=0x470000) returned 1 [0102.875] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350fac8 | out: phModule=0x350fac8*=0x1160000) returned 1 [0102.875] GetCurrentThreadId () returned 0x470 [0102.875] GetCurrentThreadId () returned 0x470 [0102.875] RtlWakeAllConditionVariable () returned 0x125f75c [0102.948] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350fac8 | out: phModule=0x350fac8*=0x1160000) returned 1 [0102.948] GetCurrentThreadId () returned 0x470 [0102.948] GetCurrentThreadId () returned 0x470 [0102.949] GetModuleHandleExW (in: dwFlags=0x2, lpModuleName=0x0, phModule=0x350faec | out: phModule=0x350faec*=0x1160000) returned 1 [0102.949] GetCurrentThreadId () returned 0x470 [0102.949] GetCurrentThreadId () returned 0x470 [0102.949] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb60 [0102.949] FindFirstFileW (in: lpFileName="C:\\\\*", lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7f4e9560, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7f4e9560, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x2c5f7d0 [0102.949] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x9565de80, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0x28df6900, ftLastAccessTime.dwHighDateTime=0x1d706aa, ftLastWriteTime.dwLowDateTime=0x28df6900, ftLastWriteTime.dwHighDateTime=0x1d706aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0102.949] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x9571c560, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0x28df6900, ftLastAccessTime.dwHighDateTime=0x1d706aa, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0102.950] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x95957a00, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0x95957a00, ftLastAccessTime.dwHighDateTime=0x1d70554, ftLastWriteTime.dwLowDateTime=0x95957a00, ftLastWriteTime.dwHighDateTime=0x1d70554, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0102.950] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0102.950] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xa384ad20, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0xa384ad20, ftLastAccessTime.dwHighDateTime=0x1d70554, ftLastWriteTime.dwLowDateTime=0x9237f320, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0102.950] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xa37fea60, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0xa37fea60, ftLastAccessTime.dwHighDateTime=0x1d70554, ftLastWriteTime.dwLowDateTime=0x9275d6e0, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0102.950] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0102.950] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca57e0 [0102.950] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca57e0 | out: hHeap=0x470000) returned 1 [0102.950] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca57e0 [0102.950] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca5808 [0102.950] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\*", lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f810 [0102.952] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca5808 | out: hHeap=0x470000) returned 1 [0102.952] FindNextFileW (in: hFindFile=0x2c5f810, lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.952] FindNextFileW (in: hFindFile=0x2c5f810, lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0102.952] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca5808 [0102.952] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb98 [0102.953] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca5808 | out: hHeap=0x470000) returned 1 [0102.953] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb98 | out: hHeap=0x470000) returned 1 [0102.953] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca5808 [0102.953] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb98 [0102.954] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca5808 | out: hHeap=0x470000) returned 1 [0102.954] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbbd0 [0102.954] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\Admin\\*", lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f850 [0102.955] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbbd0 | out: hHeap=0x470000) returned 1 [0102.955] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.955] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0102.955] FindClose (in: hFindFile=0x2c5f850 | out: hFindFile=0x2c5f850) returned 1 [0102.956] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb98 | out: hHeap=0x470000) returned 1 [0102.956] FindNextFileW (in: hFindFile=0x2c5f810, lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 0 [0102.956] FindClose (in: hFindFile=0x2c5f810 | out: hFindFile=0x2c5f810) returned 1 [0102.956] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca57e0 | out: hHeap=0x470000) returned 1 [0102.956] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd8dbb870, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd8dbb870, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0102.956] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb98 [0102.956] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb98 | out: hHeap=0x470000) returned 1 [0102.957] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0102.957] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb98 [0102.957] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb98 | out: hHeap=0x470000) returned 1 [0102.957] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe8a7c4d0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xe8a7c4d0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0102.957] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca57e0 [0102.957] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca57e0 | out: hHeap=0x470000) returned 1 [0102.957] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x7844bbf0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x78471d50, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x78471d50, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0102.958] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xa3740380, ftCreationTime.dwHighDateTime=0x1d70554, ftLastAccessTime.dwLowDateTime=0x4f8caa80, ftLastAccessTime.dwHighDateTime=0x1d7a944, ftLastWriteTime.dwLowDateTime=0x4f8caa80, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0102.958] FindNextFileW (in: hFindFile=0x2c5f7d0, lpFindFileData=0x350f758 | out: lpFindFileData=0x350f758*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x791634f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x791634f0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0102.958] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca57e0 [0102.958] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca57e0 | out: hHeap=0x470000) returned 1 [0102.958] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca57e0 [0102.958] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca5858 [0102.958] FindFirstFileW (in: lpFileName="C:\\\\Users\\*", lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x791634f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x791634f0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f810 [0102.959] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca5858 | out: hHeap=0x470000) returned 1 [0102.959] FindNextFileW (in: hFindFile=0x2c5f810, lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x791634f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x791634f0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.959] FindNextFileW (in: hFindFile=0x2c5f810, lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0102.959] FindNextFileW (in: hFindFile=0x2c5f810, lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x629b4b20, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x629b4b20, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0102.960] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca5858 [0102.960] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb98 [0102.960] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca5858 | out: hHeap=0x470000) returned 1 [0102.960] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb98 | out: hHeap=0x470000) returned 1 [0102.961] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca5858 [0102.961] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb98 [0102.961] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca5858 | out: hHeap=0x470000) returned 1 [0102.961] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbbd0 [0102.961] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\*", lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x629b4b20, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x629b4b20, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f850 [0102.962] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbbd0 | out: hHeap=0x470000) returned 1 [0102.962] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x629b4b20, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x629b4b20, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.962] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x629dac80, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0102.962] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbbd0 [0102.962] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0102.962] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbbd0 | out: hHeap=0x470000) returned 1 [0102.962] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0102.962] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0102.962] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0102.963] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbbd0 [0102.963] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0102.963] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbbd0 | out: hHeap=0x470000) returned 1 [0102.963] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0102.963] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbbd0 [0102.963] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0102.963] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbbd0 | out: hHeap=0x470000) returned 1 [0102.963] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96a68 [0102.963] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Contacts\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f890 [0102.964] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96a68 | out: hHeap=0x470000) returned 1 [0102.964] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.965] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0102.965] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96a68 [0102.965] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0102.965] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96a68 | out: hHeap=0x470000) returned 1 [0102.965] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0102.965] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96a68 [0102.965] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0102.965] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96a68 | out: hHeap=0x470000) returned 1 [0102.965] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca5880 [0102.965] GetLastError () returned 0x12 [0102.966] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x364) returned 0x2caf6d0 [0102.966] SetLastError (dwErrCode=0x12) [0102.966] GetLastError () returned 0x12 [0102.966] SetLastError (dwErrCode=0x12) [0102.966] GetLastError () returned 0x12 [0102.966] SetLastError (dwErrCode=0x12) [0102.966] GetLastError () returned 0x12 [0102.966] SetLastError (dwErrCode=0x12) [0102.966] GetLastError () returned 0x12 [0102.966] SetLastError (dwErrCode=0x12) [0102.966] GetLastError () returned 0x12 [0102.966] SetLastError (dwErrCode=0x12) [0102.966] GetLastError () returned 0x12 [0102.966] SetLastError (dwErrCode=0x12) [0102.967] GetLastError () returned 0x12 [0102.967] SetLastError (dwErrCode=0x12) [0102.967] GetLastError () returned 0x12 [0102.967] SetLastError (dwErrCode=0x12) [0102.967] GetLastError () returned 0x12 [0102.967] SetLastError (dwErrCode=0x12) [0102.967] GetLastError () returned 0x12 [0102.967] SetLastError (dwErrCode=0x12) [0102.967] GetLastError () returned 0x12 [0102.967] SetLastError (dwErrCode=0x12) [0102.967] GetLastError () returned 0x12 [0102.967] SetLastError (dwErrCode=0x12) [0102.967] GetLastError () returned 0x12 [0102.967] SetLastError (dwErrCode=0x12) [0102.967] GetLastError () returned 0x12 [0102.967] SetLastError (dwErrCode=0x12) [0102.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350ecdc, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0102.967] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x2ca58a8 [0102.967] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350ecdc, cbMultiByte=10, lpWideCharStr=0x2ca58a8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0102.968] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca58a8 | out: hHeap=0x470000) returned 1 [0102.968] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca5880 | out: hHeap=0x470000) returned 1 [0102.968] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0102.968] CreateFileW (lpFileName="C:\\\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c4 [0102.969] SetFilePointerEx (in: hFile=0x5c4, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ec50 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.969] ReadFile (in: hFile=0x5c4, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350ec48, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350ec48*=0x18, lpOverlapped=0x0) returned 1 [0102.974] CloseHandle (hObject=0x5c4) returned 1 [0102.974] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0102.975] RmStartSession () returned 0x0 [0103.213] RmRegisterResources () returned 0x0 [0103.428] RmGetList () returned 0x0 [0103.546] RmShutdown () returned 0x0 [0103.639] RmEndSession () returned 0x0 [0103.640] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350ece8 | out: phKey=0x350ece8*=0x2c5f950) returned 1 [0103.641] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact")) returned 0x20 [0103.641] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Contacts\\Administrator.contact", dwFileAttributes=0x20) returned 1 [0103.641] CreateFileW (lpFileName="C:\\\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0103.641] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ec40*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ec40*=0x2000) returned 1 [0103.642] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x350ec2c | out: lpFileSize=0x350ec2c*=68382) returned 1 [0103.642] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30fae00 [0103.642] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0103.660] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0103.666] ReadFile (in: hFile=0x5d4, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350ec34, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350ec34*=0x10b1e, lpOverlapped=0x0) returned 1 [0103.668] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec1c | out: lpNewFilePointer=0x0) returned 1 [0103.668] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0103.669] WriteFile (in: hFile=0x5d4, lpBuffer=0x30fae20*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30fae20*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0103.669] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0103.669] WriteFile (in: hFile=0x5d4, lpBuffer=0x30fae20*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30fae20*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0103.669] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0103.670] WriteFile (in: hFile=0x5d4, lpBuffer=0x30fae20*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30fae20*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0103.670] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0103.670] WriteFile (in: hFile=0x5d4, lpBuffer=0x30fae20*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30fae20*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0103.670] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0103.670] WriteFile (in: hFile=0x5d4, lpBuffer=0x30fae20*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30fae20*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0103.670] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0103.671] WriteFile (in: hFile=0x5d4, lpBuffer=0x30fae20*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30fae20*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0103.671] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0103.671] WriteFile (in: hFile=0x5d4, lpBuffer=0x30fae20*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30fae20*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0103.671] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0103.671] WriteFile (in: hFile=0x5d4, lpBuffer=0x30fae20*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30fae20*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0103.671] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30fae20*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0103.672] WriteFile (in: hFile=0x5d4, lpBuffer=0x30fae20*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30fae20*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0103.672] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0103.672] WriteFile (in: hFile=0x5d4, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ec44*=0x200, lpOverlapped=0x0) returned 1 [0103.673] WriteFile (in: hFile=0x5d4, lpBuffer=0x350ebd4*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x350ebd4*, lpNumberOfBytesWritten=0x350ec44*=0x18, lpOverlapped=0x0) returned 1 [0103.681] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0103.691] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30fae00 | out: hHeap=0x470000) returned 1 [0103.691] CloseHandle (hObject=0x5d4) returned 1 [0103.694] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5ea60 [0103.694] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="C:\\\\Users\\Default\\Contacts\\Administrator.contact.avdn" (normalized: "c:\\users\\default\\contacts\\administrator.contact.avdn"), dwFlags=0x1) returned 1 [0103.696] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5ea60 | out: hHeap=0x470000) returned 1 [0103.696] CryptDestroyKey (hKey=0x2c5f950) returned 1 [0103.697] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0103.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0103.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0103.697] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0103.697] CreateFileW (lpFileName="C:\\\\Users\\Default\\Contacts\\041656-readme.html" (normalized: "c:\\users\\default\\contacts\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0103.705] WriteFile (in: hFile=0x5d4, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350ece8, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350ece8*=0xc78d, lpOverlapped=0x0) returned 1 [0103.707] CloseHandle (hObject=0x5d4) returned 1 [0103.710] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0103.710] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0103.710] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0103.711] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0103.711] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0103.711] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.711] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0103.711] FindClose (in: hFindFile=0x2c5f890 | out: hFindFile=0x2c5f890) returned 1 [0103.712] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0103.712] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0103.712] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0103.712] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc40 [0103.712] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0103.712] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc40 | out: hHeap=0x470000) returned 1 [0103.712] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0103.712] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc40 [0103.712] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0103.713] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc40 | out: hHeap=0x470000) returned 1 [0103.713] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0103.713] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Desktop\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f890 [0103.713] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0103.713] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.714] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.714] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0103.714] FindClose (in: hFindFile=0x2c5f890 | out: hFindFile=0x2c5f890) returned 1 [0103.714] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0103.714] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0103.714] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc40 [0103.714] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0103.714] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc40 | out: hHeap=0x470000) returned 1 [0103.715] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0103.715] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc40 [0103.715] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0103.715] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc40 | out: hHeap=0x470000) returned 1 [0103.715] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0103.715] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Documents\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f890 [0103.716] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0103.716] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.716] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.716] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0103.717] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0103.717] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0103.717] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0103.717] FindClose (in: hFindFile=0x2c5f890 | out: hFindFile=0x2c5f890) returned 1 [0103.718] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0103.718] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0103.718] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc40 [0103.718] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0103.718] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc40 | out: hHeap=0x470000) returned 1 [0103.718] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0103.718] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc40 [0103.718] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0103.719] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc40 | out: hHeap=0x470000) returned 1 [0103.719] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0103.719] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Downloads\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f890 [0103.719] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0103.719] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.719] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.719] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0103.719] FindClose (in: hFindFile=0x2c5f890 | out: hFindFile=0x2c5f890) returned 1 [0103.720] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0103.720] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0103.720] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc40 [0103.720] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0103.720] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc40 | out: hHeap=0x470000) returned 1 [0103.720] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0103.720] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc40 [0103.720] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0103.721] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc40 | out: hHeap=0x470000) returned 1 [0103.721] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0103.721] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Favorites\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f890 [0103.726] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0103.726] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.726] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.726] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0103.726] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0103.726] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0103.727] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0103.727] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0103.728] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0103.728] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0103.728] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0103.728] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9e48 [0103.728] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Favorites\\Links\\*", lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f950 [0103.729] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9e48 | out: hHeap=0x470000) returned 1 [0103.729] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.729] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfefb1330, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.729] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xb11062, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0103.729] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9e48 [0103.729] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x76) returned 0x2ca8fa8 [0103.730] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9e48 | out: hHeap=0x470000) returned 1 [0103.730] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8fa8 | out: hHeap=0x470000) returned 1 [0103.730] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9e48 [0103.730] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x76) returned 0x2ca8fa8 [0103.730] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9e48 | out: hHeap=0x470000) returned 1 [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.731] SetLastError (dwErrCode=0x12) [0103.731] GetLastError () returned 0x12 [0103.732] SetLastError (dwErrCode=0x12) [0103.732] GetLastError () returned 0x12 [0103.732] SetLastError (dwErrCode=0x12) [0103.732] GetLastError () returned 0x12 [0103.732] SetLastError (dwErrCode=0x12) [0103.732] GetLastError () returned 0x12 [0103.732] SetLastError (dwErrCode=0x12) [0103.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0103.732] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f8f08 [0103.732] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f8f08, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0103.732] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f8f08 | out: hHeap=0x470000) returned 1 [0103.732] GetLastError () returned 0x12 [0103.732] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.733] SetLastError (dwErrCode=0x12) [0103.733] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.734] SetLastError (dwErrCode=0x12) [0103.734] GetLastError () returned 0x12 [0103.735] SetLastError (dwErrCode=0x12) [0103.735] GetLastError () returned 0x12 [0103.735] SetLastError (dwErrCode=0x12) [0103.735] GetLastError () returned 0x12 [0103.735] SetLastError (dwErrCode=0x12) [0103.735] GetLastError () returned 0x12 [0103.735] SetLastError (dwErrCode=0x12) [0103.735] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0103.735] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0103.736] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.736] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0103.737] CloseHandle (hObject=0x5e8) returned 1 [0103.737] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0103.737] RmStartSession () returned 0x0 [0103.741] RmRegisterResources () returned 0x0 [0103.751] RmGetList () returned 0x0 [0103.810] RmShutdown () returned 0x0 [0103.887] RmEndSession () returned 0x0 [0103.891] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f990) returned 1 [0103.891] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url")) returned 0x20 [0103.891] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url", dwFileAttributes=0x20) returned 1 [0103.892] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0103.892] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0103.892] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=226) returned 1 [0103.892] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e5f28 [0103.893] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0103.909] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0103.909] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0xe2, lpOverlapped=0x0) returned 1 [0103.910] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0103.910] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0103.910] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0103.910] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0103.910] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0103.911] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0103.921] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0103.931] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e5f28 | out: hHeap=0x470000) returned 1 [0103.931] CloseHandle (hObject=0x5e8) returned 1 [0103.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0103.933] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.avdn" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url.avdn"), dwFlags=0x1) returned 1 [0103.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0103.934] CryptDestroyKey (hKey=0x2c5f990) returned 1 [0103.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0103.934] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0103.934] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ef8 [0103.934] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0103.934] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Links\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\links\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0103.934] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0103.936] CloseHandle (hObject=0x5e8) returned 1 [0103.937] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0103.937] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ef8 | out: hHeap=0x470000) returned 1 [0103.937] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0103.938] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0103.938] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca8fa8 | out: hHeap=0x470000) returned 1 [0103.938] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xb11062, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 0 [0103.938] FindClose (in: hFindFile=0x2c5f950 | out: hFindFile=0x2c5f950) returned 1 [0103.939] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0103.939] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0103.939] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0103.939] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0103.940] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0103.940] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0103.940] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0103.940] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0103.940] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0103.940] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0103.940] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f950 [0103.943] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0103.943] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.944] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0103.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0103.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4c48 [0103.944] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0103.944] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0103.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0103.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4c48 [0103.944] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0103.944] GetLastError () returned 0x12 [0103.944] SetLastError (dwErrCode=0x12) [0103.944] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.945] GetLastError () returned 0x12 [0103.945] SetLastError (dwErrCode=0x12) [0103.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0103.946] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0103.946] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0103.946] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0103.946] GetLastError () returned 0x12 [0103.946] SetLastError (dwErrCode=0x12) [0103.946] GetLastError () returned 0x12 [0103.946] SetLastError (dwErrCode=0x12) [0103.946] GetLastError () returned 0x12 [0103.946] SetLastError (dwErrCode=0x12) [0103.946] GetLastError () returned 0x12 [0103.946] SetLastError (dwErrCode=0x12) [0103.946] GetLastError () returned 0x12 [0103.946] SetLastError (dwErrCode=0x12) [0103.946] GetLastError () returned 0x12 [0103.946] SetLastError (dwErrCode=0x12) [0103.946] GetLastError () returned 0x12 [0103.946] SetLastError (dwErrCode=0x12) [0103.946] GetLastError () returned 0x12 [0103.946] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.947] GetLastError () returned 0x12 [0103.947] SetLastError (dwErrCode=0x12) [0103.948] GetLastError () returned 0x12 [0103.948] SetLastError (dwErrCode=0x12) [0103.948] GetLastError () returned 0x12 [0103.948] SetLastError (dwErrCode=0x12) [0103.948] GetLastError () returned 0x12 [0103.948] SetLastError (dwErrCode=0x12) [0103.948] GetLastError () returned 0x12 [0103.948] SetLastError (dwErrCode=0x12) [0103.948] GetLastError () returned 0x12 [0103.948] SetLastError (dwErrCode=0x12) [0103.948] GetLastError () returned 0x12 [0103.948] SetLastError (dwErrCode=0x12) [0103.948] GetLastError () returned 0x12 [0103.948] SetLastError (dwErrCode=0x12) [0103.948] GetLastError () returned 0x12 [0103.948] SetLastError (dwErrCode=0x12) [0103.948] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4bb0 [0103.948] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0103.949] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.949] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0103.950] CloseHandle (hObject=0x5e8) returned 1 [0103.950] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4ce0 [0103.950] RmStartSession () returned 0x0 [0103.954] RmRegisterResources () returned 0x0 [0103.972] RmGetList () returned 0x0 [0104.020] RmShutdown () returned 0x0 [0104.120] RmEndSession () returned 0x0 [0104.124] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f910) returned 1 [0104.125] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url")) returned 0x20 [0104.125] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url", dwFileAttributes=0x20) returned 1 [0104.125] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.125] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0104.125] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0104.125] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0104.126] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0104.142] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.142] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0104.143] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0104.143] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0104.143] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0104.144] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.145] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0104.145] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0104.152] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0104.158] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0104.158] CloseHandle (hObject=0x5e8) returned 1 [0104.163] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4d78 [0104.163] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.avdn" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.avdn"), dwFlags=0x1) returned 1 [0104.165] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4d78 | out: hHeap=0x470000) returned 1 [0104.165] CryptDestroyKey (hKey=0x2c5f910) returned 1 [0104.165] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4ce0 | out: hHeap=0x470000) returned 1 [0104.165] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4ce0 [0104.165] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.165] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4d78 [0104.166] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.166] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0104.168] CloseHandle (hObject=0x5e8) returned 1 [0104.169] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4d78 | out: hHeap=0x470000) returned 1 [0104.169] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.169] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4ce0 | out: hHeap=0x470000) returned 1 [0104.170] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4bb0 | out: hHeap=0x470000) returned 1 [0104.170] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0104.170] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0104.170] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.170] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa0) returned 0x2ca6938 [0104.170] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.171] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca6938 | out: hHeap=0x470000) returned 1 [0104.171] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.171] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa0) returned 0x2ca6938 [0104.171] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.171] GetLastError () returned 0x0 [0104.171] SetLastError (dwErrCode=0x0) [0104.171] GetLastError () returned 0x0 [0104.171] SetLastError (dwErrCode=0x0) [0104.171] GetLastError () returned 0x0 [0104.171] SetLastError (dwErrCode=0x0) [0104.171] GetLastError () returned 0x0 [0104.171] SetLastError (dwErrCode=0x0) [0104.171] GetLastError () returned 0x0 [0104.171] SetLastError (dwErrCode=0x0) [0104.171] GetLastError () returned 0x0 [0104.171] SetLastError (dwErrCode=0x0) [0104.171] GetLastError () returned 0x0 [0104.171] SetLastError (dwErrCode=0x0) [0104.171] GetLastError () returned 0x0 [0104.171] SetLastError (dwErrCode=0x0) [0104.171] GetLastError () returned 0x0 [0104.171] SetLastError (dwErrCode=0x0) [0104.171] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.172] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.172] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.172] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.172] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0104.172] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0104.172] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0104.172] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0104.172] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.172] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.172] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.172] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.172] GetLastError () returned 0x0 [0104.172] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.173] SetLastError (dwErrCode=0x0) [0104.173] GetLastError () returned 0x0 [0104.174] SetLastError (dwErrCode=0x0) [0104.174] GetLastError () returned 0x0 [0104.174] SetLastError (dwErrCode=0x0) [0104.174] GetLastError () returned 0x0 [0104.174] SetLastError (dwErrCode=0x0) [0104.174] GetLastError () returned 0x0 [0104.174] SetLastError (dwErrCode=0x0) [0104.174] GetLastError () returned 0x0 [0104.174] SetLastError (dwErrCode=0x0) [0104.174] GetLastError () returned 0x0 [0104.174] SetLastError (dwErrCode=0x0) [0104.174] GetLastError () returned 0x0 [0104.174] SetLastError (dwErrCode=0x0) [0104.174] GetLastError () returned 0x0 [0104.174] SetLastError (dwErrCode=0x0) [0104.174] GetLastError () returned 0x0 [0104.174] SetLastError (dwErrCode=0x0) [0104.174] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa0) returned 0x2ca69e0 [0104.174] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.175] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.175] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0104.178] CloseHandle (hObject=0x5e8) returned 1 [0104.178] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa0) returned 0x2ca6a88 [0104.178] RmStartSession () returned 0x0 [0104.180] RmRegisterResources () returned 0x0 [0104.184] RmGetList () returned 0x0 [0104.224] RmShutdown () returned 0x0 [0104.285] RmEndSession () returned 0x0 [0104.292] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f990) returned 1 [0104.293] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url")) returned 0x20 [0104.293] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url", dwFileAttributes=0x20) returned 1 [0104.293] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.293] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0104.293] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0104.293] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0104.294] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0104.312] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.312] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0104.314] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0104.314] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0104.314] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0104.314] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.314] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0104.315] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0104.322] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0104.330] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0104.330] CloseHandle (hObject=0x5e8) returned 1 [0104.332] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xb0) returned 0x2c26ac8 [0104.332] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.avdn" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url.avdn"), dwFlags=0x1) returned 1 [0104.333] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c26ac8 | out: hHeap=0x470000) returned 1 [0104.333] CryptDestroyKey (hKey=0x2c5f990) returned 1 [0104.333] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca6a88 | out: hHeap=0x470000) returned 1 [0104.333] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa0) returned 0x2ca6a88 [0104.333] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.333] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4c48 [0104.333] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.335] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0104.337] CloseHandle (hObject=0x5e8) returned 1 [0104.339] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0104.339] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.339] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca6a88 | out: hHeap=0x470000) returned 1 [0104.339] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca69e0 | out: hHeap=0x470000) returned 1 [0104.339] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca6938 | out: hHeap=0x470000) returned 1 [0104.339] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.340] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4c48 [0104.340] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.340] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0104.340] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.340] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4c48 [0104.340] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.340] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.341] GetLastError () returned 0xb7 [0104.341] SetLastError (dwErrCode=0xb7) [0104.342] GetLastError () returned 0xb7 [0104.342] SetLastError (dwErrCode=0xb7) [0104.342] GetLastError () returned 0xb7 [0104.342] SetLastError (dwErrCode=0xb7) [0104.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0104.342] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0104.342] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0104.342] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0104.342] GetLastError () returned 0xb7 [0104.342] SetLastError (dwErrCode=0xb7) [0104.342] GetLastError () returned 0xb7 [0104.342] SetLastError (dwErrCode=0xb7) [0104.342] GetLastError () returned 0xb7 [0104.342] SetLastError (dwErrCode=0xb7) [0104.342] GetLastError () returned 0xb7 [0104.342] SetLastError (dwErrCode=0xb7) [0104.342] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.343] SetLastError (dwErrCode=0xb7) [0104.343] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.344] GetLastError () returned 0xb7 [0104.344] SetLastError (dwErrCode=0xb7) [0104.345] GetLastError () returned 0xb7 [0104.345] SetLastError (dwErrCode=0xb7) [0104.345] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4bb0 [0104.345] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.345] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.345] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0104.346] CloseHandle (hObject=0x5e8) returned 1 [0104.346] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4ce0 [0104.346] RmStartSession () returned 0x0 [0104.349] RmRegisterResources () returned 0x0 [0104.354] RmGetList () returned 0x0 [0104.393] RmShutdown () returned 0x0 [0104.487] RmEndSession () returned 0x0 [0104.492] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f910) returned 1 [0104.492] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url")) returned 0x20 [0104.492] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url", dwFileAttributes=0x20) returned 1 [0104.492] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.493] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0104.493] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0104.493] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0104.493] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0104.513] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.513] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0104.514] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0104.514] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0104.515] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0104.515] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.515] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0104.516] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0104.522] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0104.530] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0104.530] CloseHandle (hObject=0x5e8) returned 1 [0104.531] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa0) returned 0x2ca6938 [0104.531] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.avdn" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url.avdn"), dwFlags=0x1) returned 1 [0104.532] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca6938 | out: hHeap=0x470000) returned 1 [0104.532] CryptDestroyKey (hKey=0x2c5f910) returned 1 [0104.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4ce0 | out: hHeap=0x470000) returned 1 [0104.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4ce0 [0104.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.533] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4d78 [0104.533] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.534] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0104.536] CloseHandle (hObject=0x5e8) returned 1 [0104.538] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4d78 | out: hHeap=0x470000) returned 1 [0104.538] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.538] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4ce0 | out: hHeap=0x470000) returned 1 [0104.538] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4bb0 | out: hHeap=0x470000) returned 1 [0104.539] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0104.539] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0104.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4c48 [0104.539] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.539] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0104.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.539] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4c48 [0104.540] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.540] SetLastError (dwErrCode=0xb7) [0104.540] GetLastError () returned 0xb7 [0104.541] SetLastError (dwErrCode=0xb7) [0104.541] GetLastError () returned 0xb7 [0104.541] SetLastError (dwErrCode=0xb7) [0104.541] GetLastError () returned 0xb7 [0104.541] SetLastError (dwErrCode=0xb7) [0104.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0104.541] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0104.541] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0104.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0104.541] GetLastError () returned 0xb7 [0104.541] SetLastError (dwErrCode=0xb7) [0104.541] GetLastError () returned 0xb7 [0104.541] SetLastError (dwErrCode=0xb7) [0104.541] GetLastError () returned 0xb7 [0104.541] SetLastError (dwErrCode=0xb7) [0104.541] GetLastError () returned 0xb7 [0104.541] SetLastError (dwErrCode=0xb7) [0104.541] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.542] SetLastError (dwErrCode=0xb7) [0104.542] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] GetLastError () returned 0xb7 [0104.543] SetLastError (dwErrCode=0xb7) [0104.543] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4bb0 [0104.543] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.544] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.544] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0104.545] CloseHandle (hObject=0x5e8) returned 1 [0104.545] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4ce0 [0104.545] RmStartSession () returned 0x0 [0104.548] RmRegisterResources () returned 0x0 [0104.554] RmGetList () returned 0x0 [0104.588] RmShutdown () returned 0x0 [0104.655] RmEndSession () returned 0x0 [0104.659] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f990) returned 1 [0104.659] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url")) returned 0x20 [0104.659] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url", dwFileAttributes=0x20) returned 1 [0104.659] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.659] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0104.659] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0104.660] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0104.660] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0104.681] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.681] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0104.682] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0104.682] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0104.682] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0104.683] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.683] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0104.683] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0104.690] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0104.698] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0104.698] CloseHandle (hObject=0x5e8) returned 1 [0104.699] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa0) returned 0x2ca6938 [0104.699] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.avdn" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url.avdn"), dwFlags=0x1) returned 1 [0104.700] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ca6938 | out: hHeap=0x470000) returned 1 [0104.700] CryptDestroyKey (hKey=0x2c5f990) returned 1 [0104.700] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4ce0 | out: hHeap=0x470000) returned 1 [0104.701] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4ce0 [0104.701] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.701] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4d78 [0104.701] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.702] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0104.704] CloseHandle (hObject=0x5e8) returned 1 [0104.705] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4d78 | out: hHeap=0x470000) returned 1 [0104.705] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.706] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4ce0 | out: hHeap=0x470000) returned 1 [0104.706] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4bb0 | out: hHeap=0x470000) returned 1 [0104.706] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0104.706] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0104.706] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.706] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4c48 [0104.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0104.707] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.707] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4c48 [0104.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.707] GetLastError () returned 0xb7 [0104.707] SetLastError (dwErrCode=0xb7) [0104.707] GetLastError () returned 0xb7 [0104.707] SetLastError (dwErrCode=0xb7) [0104.707] GetLastError () returned 0xb7 [0104.707] SetLastError (dwErrCode=0xb7) [0104.707] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] GetLastError () returned 0xb7 [0104.708] SetLastError (dwErrCode=0xb7) [0104.708] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0104.708] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0104.708] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0104.709] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0104.709] GetLastError () returned 0xb7 [0104.709] SetLastError (dwErrCode=0xb7) [0104.709] GetLastError () returned 0xb7 [0104.709] SetLastError (dwErrCode=0xb7) [0104.709] GetLastError () returned 0xb7 [0104.709] SetLastError (dwErrCode=0xb7) [0104.709] GetLastError () returned 0xb7 [0104.709] SetLastError (dwErrCode=0xb7) [0104.709] GetLastError () returned 0xb7 [0104.709] SetLastError (dwErrCode=0xb7) [0104.709] GetLastError () returned 0xb7 [0104.709] SetLastError (dwErrCode=0xb7) [0104.709] GetLastError () returned 0xb7 [0104.709] SetLastError (dwErrCode=0xb7) [0104.709] GetLastError () returned 0xb7 [0104.709] SetLastError (dwErrCode=0xb7) [0104.709] GetLastError () returned 0xb7 [0104.709] SetLastError (dwErrCode=0xb7) [0104.709] GetLastError () returned 0xb7 [0104.710] SetLastError (dwErrCode=0xb7) [0104.710] GetLastError () returned 0xb7 [0104.710] SetLastError (dwErrCode=0xb7) [0104.710] GetLastError () returned 0xb7 [0104.710] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4bb0 [0104.710] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.710] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.710] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0104.711] CloseHandle (hObject=0x5e8) returned 1 [0104.712] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4ce0 [0104.712] RmStartSession () returned 0x0 [0104.714] RmRegisterResources () returned 0x0 [0104.718] RmGetList () returned 0x0 [0104.750] RmShutdown () returned 0x0 [0104.823] RmEndSession () returned 0x0 [0104.827] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f910) returned 1 [0104.827] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url")) returned 0x20 [0104.827] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url", dwFileAttributes=0x20) returned 1 [0104.827] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.827] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0104.827] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=134) returned 1 [0104.827] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0104.828] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0104.844] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.844] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x86, lpOverlapped=0x0) returned 1 [0104.845] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0104.845] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0104.845] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0104.846] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0104.846] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0104.846] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0104.856] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0104.923] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0104.923] CloseHandle (hObject=0x5e8) returned 1 [0104.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4d78 [0104.925] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.avdn" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url.avdn"), dwFlags=0x1) returned 1 [0104.926] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4d78 | out: hHeap=0x470000) returned 1 [0104.926] CryptDestroyKey (hKey=0x2c5f910) returned 1 [0104.926] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4ce0 | out: hHeap=0x470000) returned 1 [0104.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4ce0 [0104.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4d78 [0104.926] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\Microsoft Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.928] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0104.931] CloseHandle (hObject=0x5e8) returned 1 [0104.932] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4d78 | out: hHeap=0x470000) returned 1 [0104.932] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.932] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4ce0 | out: hHeap=0x470000) returned 1 [0104.933] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4bb0 | out: hHeap=0x470000) returned 1 [0104.933] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0104.933] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 0 [0104.933] FindClose (in: hFindFile=0x2c5f950 | out: hFindFile=0x2c5f950) returned 1 [0104.933] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0104.933] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62abf4c0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0104.933] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0104.933] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0104.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0104.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0104.934] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0104.934] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0104.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0104.934] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.934] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\*", lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62abf4c0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f950 [0104.941] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.941] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62abf4c0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.941] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0104.941] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.941] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0104.941] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.941] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0104.941] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0104.941] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0104.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0104.942] GetLastError () returned 0x12 [0104.942] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0104.942] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0104.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0104.942] GetLastError () returned 0x12 [0104.942] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0104.942] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0104.943] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.943] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0104.944] CloseHandle (hObject=0x5e8) returned 1 [0104.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0104.944] RmStartSession () returned 0x0 [0104.946] RmRegisterResources () returned 0x0 [0104.951] RmGetList () returned 0x0 [0105.000] RmShutdown () returned 0x0 [0105.110] RmEndSession () returned 0x0 [0105.115] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f990) returned 1 [0105.115] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url")) returned 0x20 [0105.115] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url", dwFileAttributes=0x20) returned 1 [0105.115] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.115] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0105.115] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0105.115] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0105.116] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0105.137] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.137] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0105.138] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0105.138] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0105.139] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0105.139] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.139] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0105.140] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0105.146] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0105.153] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0105.153] CloseHandle (hObject=0x5e8) returned 1 [0105.155] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0105.155] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.avdn" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.avdn"), dwFlags=0x1) returned 1 [0105.156] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0105.156] CryptDestroyKey (hKey=0x2c5f990) returned 1 [0105.156] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0105.156] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0105.156] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.156] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0105.157] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\msn websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.157] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0105.159] CloseHandle (hObject=0x5e8) returned 1 [0105.160] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0105.162] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.162] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0105.162] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0105.162] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.162] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0105.162] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.163] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.163] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.163] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.163] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.163] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.163] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.163] GetLastError () returned 0x0 [0105.164] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0105.164] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0105.164] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0105.164] GetLastError () returned 0x0 [0105.164] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0105.164] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.164] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.165] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0105.166] CloseHandle (hObject=0x5e8) returned 1 [0105.166] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d55c0 [0105.166] RmStartSession () returned 0x0 [0105.168] RmRegisterResources () returned 0x0 [0105.173] RmGetList () returned 0x0 [0105.211] RmShutdown () returned 0x0 [0105.289] RmEndSession () returned 0x0 [0105.293] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f910) returned 1 [0105.293] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url")) returned 0x20 [0105.294] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url", dwFileAttributes=0x20) returned 1 [0105.294] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.294] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0105.294] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0105.294] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0105.295] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0105.315] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.315] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0105.316] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0105.316] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0105.316] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0105.317] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.317] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0105.317] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0105.325] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0105.334] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0105.334] CloseHandle (hObject=0x5e8) returned 1 [0105.335] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4bb0 [0105.335] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.avdn" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url.avdn"), dwFlags=0x1) returned 1 [0105.336] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4bb0 | out: hHeap=0x470000) returned 1 [0105.336] CryptDestroyKey (hKey=0x2c5f910) returned 1 [0105.336] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d55c0 | out: hHeap=0x470000) returned 1 [0105.337] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d55c0 [0105.337] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.337] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d5648 [0105.337] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\msn websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.338] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0105.340] CloseHandle (hObject=0x5e8) returned 1 [0105.341] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d5648 | out: hHeap=0x470000) returned 1 [0105.341] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.342] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d55c0 | out: hHeap=0x470000) returned 1 [0105.342] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0105.342] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.342] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0105.342] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.342] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.342] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.343] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.343] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.343] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.343] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.343] GetLastError () returned 0xb7 [0105.343] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0105.343] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0105.344] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0105.344] GetLastError () returned 0xb7 [0105.344] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0105.344] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.344] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.344] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0105.345] CloseHandle (hObject=0x5e8) returned 1 [0105.346] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0105.346] RmStartSession () returned 0x0 [0105.348] RmRegisterResources () returned 0x0 [0105.352] RmGetList () returned 0x0 [0105.387] RmShutdown () returned 0x0 [0105.452] RmEndSession () returned 0x0 [0105.471] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f990) returned 1 [0105.472] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url")) returned 0x20 [0105.472] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url", dwFileAttributes=0x20) returned 1 [0105.472] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.472] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0105.472] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0105.472] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0105.473] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0105.491] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.491] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0105.492] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0105.492] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0105.492] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0105.492] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.492] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0105.493] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0105.500] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0105.507] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0105.507] CloseHandle (hObject=0x5e8) returned 1 [0105.508] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0105.508] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.avdn" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url.avdn"), dwFlags=0x1) returned 1 [0105.509] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0105.509] CryptDestroyKey (hKey=0x2c5f990) returned 1 [0105.510] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0105.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0105.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.510] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0105.510] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\msn websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.511] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0105.514] CloseHandle (hObject=0x5e8) returned 1 [0105.515] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0105.515] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.515] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0105.516] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0105.516] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.516] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0105.516] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.516] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.516] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.516] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.517] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.517] GetLastError () returned 0xb7 [0105.517] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0105.517] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0105.518] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0105.518] GetLastError () returned 0xb7 [0105.518] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0105.518] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.519] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.519] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0105.520] CloseHandle (hObject=0x5e8) returned 1 [0105.520] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0105.520] RmStartSession () returned 0x0 [0105.523] RmRegisterResources () returned 0x0 [0105.529] RmGetList () returned 0x0 [0105.564] RmShutdown () returned 0x0 [0105.635] RmEndSession () returned 0x0 [0105.639] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f910) returned 1 [0105.639] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url")) returned 0x20 [0105.639] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url", dwFileAttributes=0x20) returned 1 [0105.639] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.639] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0105.639] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0105.639] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0105.640] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0105.656] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.657] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0105.658] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0105.658] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0105.658] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0105.658] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.658] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0105.658] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0105.667] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0105.675] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0105.675] CloseHandle (hObject=0x5e8) returned 1 [0105.676] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0105.676] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.avdn" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url.avdn"), dwFlags=0x1) returned 1 [0105.677] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0105.677] CryptDestroyKey (hKey=0x2c5f910) returned 1 [0105.678] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0105.678] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0105.678] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.678] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0105.678] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\msn websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.680] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0105.682] CloseHandle (hObject=0x5e8) returned 1 [0105.684] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0105.684] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.684] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0105.685] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0105.685] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.685] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0105.685] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.685] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.685] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.686] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.686] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.686] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.686] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.686] GetLastError () returned 0xb7 [0105.686] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0105.687] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0105.687] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0105.687] GetLastError () returned 0xb7 [0105.687] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0105.687] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.688] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.688] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0105.689] CloseHandle (hObject=0x5e8) returned 1 [0105.689] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0105.689] RmStartSession () returned 0x0 [0105.691] RmRegisterResources () returned 0x0 [0105.696] RmGetList () returned 0x0 [0105.734] RmShutdown () returned 0x0 [0105.842] RmEndSession () returned 0x0 [0105.847] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f990) returned 1 [0105.847] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url")) returned 0x20 [0105.847] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN.url", dwFileAttributes=0x20) returned 1 [0105.847] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.847] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0105.847] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0105.847] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0105.848] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0105.889] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.889] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0105.890] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0105.890] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0105.890] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0105.891] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0105.891] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0105.891] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0105.899] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0105.906] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0105.906] CloseHandle (hObject=0x5e8) returned 1 [0105.907] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0105.907] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.avdn" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url.avdn"), dwFlags=0x1) returned 1 [0105.908] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0105.908] CryptDestroyKey (hKey=0x2c5f990) returned 1 [0105.909] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0105.909] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0105.909] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.909] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0105.909] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\msn websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.910] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0105.912] CloseHandle (hObject=0x5e8) returned 1 [0105.914] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0105.914] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.914] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0105.914] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0105.915] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.915] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0105.915] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.915] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.915] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.915] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0105.915] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0105.915] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0105.916] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0105.916] GetLastError () returned 0xb7 [0105.916] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0105.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0105.916] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0105.916] GetLastError () returned 0xb7 [0105.916] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0105.916] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0105.917] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.917] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0105.918] CloseHandle (hObject=0x5e8) returned 1 [0105.918] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0105.918] RmStartSession () returned 0x0 [0105.920] RmRegisterResources () returned 0x0 [0106.370] RmGetList () returned 0x0 [0106.440] RmShutdown () returned 0x0 [0106.612] RmEndSession () returned 0x0 [0106.615] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f910) returned 1 [0106.615] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url")) returned 0x20 [0106.615] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url", dwFileAttributes=0x20) returned 1 [0106.615] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0106.616] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0106.616] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=133) returned 1 [0106.616] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f30 [0106.616] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0107.184] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0107.184] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x85, lpOverlapped=0x0) returned 1 [0107.185] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0107.186] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0107.186] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0107.190] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0107.190] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0107.191] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0107.198] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0107.206] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f30 | out: hHeap=0x470000) returned 1 [0107.206] CloseHandle (hObject=0x5e8) returned 1 [0107.208] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0107.208] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.avdn" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url.avdn"), dwFlags=0x1) returned 1 [0107.210] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0107.210] CryptDestroyKey (hKey=0x2c5f910) returned 1 [0107.210] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0107.210] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0107.210] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0107.210] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0107.211] CreateFileW (lpFileName="C:\\\\Users\\Default\\Favorites\\MSN Websites\\041656-readme.html" (normalized: "c:\\users\\default\\favorites\\msn websites\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0107.212] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0107.215] CloseHandle (hObject=0x5e8) returned 1 [0107.216] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0107.216] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0107.217] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0107.217] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0107.240] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0107.241] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 0 [0107.241] FindClose (in: hFindFile=0x2c5f950 | out: hFindFile=0x2c5f950) returned 1 [0107.241] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0107.241] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62abf4c0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0107.241] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.241] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0107.242] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.242] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0107.242] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62abf4c0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0107.242] FindClose (in: hFindFile=0x2c5f890 | out: hFindFile=0x2c5f890) returned 1 [0107.243] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0107.243] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf3011f30, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf3011f30, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0107.243] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.243] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.243] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.243] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.243] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Links\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf3011f30, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf3011f30, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f890 [0107.247] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.247] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf3011f30, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf3011f30, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.247] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a26f40, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a26f40, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0107.248] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a4d0a0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a4d0a0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.248] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0107.248] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.248] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0107.248] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.248] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0107.249] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.249] GetLastError () returned 0x12 [0107.249] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0107.249] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350ecdc, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0107.249] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0107.249] GetLastError () returned 0x12 [0107.249] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0107.250] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.250] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0107.250] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.250] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0107.250] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.250] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0107.250] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.251] GetLastError () returned 0x12 [0107.251] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3011f30, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xf3011f30, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf3011f30, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x790, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0107.251] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.251] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0107.251] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.251] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0107.251] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.251] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0107.252] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.252] GetLastError () returned 0x12 [0107.252] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a4d0a0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a4d0a0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0107.252] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.252] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0107.252] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.253] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0107.253] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.253] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0107.253] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.253] GetLastError () returned 0x12 [0107.253] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a4d0a0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a4d0a0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0107.253] FindClose (in: hFindFile=0x2c5f890 | out: hFindFile=0x2c5f890) returned 1 [0107.255] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.255] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0107.255] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0107.255] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.255] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.255] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.255] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0107.255] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Music\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f890 [0107.256] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0107.256] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.256] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0107.256] FindNextFileW (in: hFindFile=0x2c5f890, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0107.256] FindClose (in: hFindFile=0x2c5f890 | out: hFindFile=0x2c5f890) returned 1 [0107.257] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.257] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0107.257] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0107.257] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x62d46c20, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x62d46c20, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0xc0000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0107.257] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xc103692e, ftCreationTime.dwHighDateTime=0x1ca0451, ftLastAccessTime.dwLowDateTime=0x1dd1880d, ftLastAccessTime.dwHighDateTime=0x1cbf8ec, ftLastWriteTime.dwLowDateTime=0x1dd1880d, ftLastWriteTime.dwHighDateTime=0x1cbf8ec, nFileSizeHigh=0x0, nFileSizeLow=0x400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG", cAlternateFileName="NTUSER~3.LOG")) returned 1 [0107.257] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.257] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ef8 [0107.257] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.258] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ef8 | out: hHeap=0x470000) returned 1 [0107.258] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.258] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ef8 [0107.258] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.258] GetLastError () returned 0x12 [0107.258] CreateFileW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0107.260] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ef48 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.260] ReadFile (in: hFile=0x5bc, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350ef40, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350ef40*=0x18, lpOverlapped=0x0) returned 1 [0107.262] CloseHandle (hObject=0x5bc) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9fa8 [0107.262] RmStartSession () returned 0x0 [0107.266] RmRegisterResources () returned 0x0 [0107.270] RmGetList () returned 0x0 [0107.318] RmShutdown () returned 0x0 [0107.448] RmEndSession () returned 0x0 [0107.452] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350efe0 | out: phKey=0x350efe0*=0x2c5f910) returned 1 [0107.452] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log")) returned 0x22 [0107.452] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG", dwFileAttributes=0x22) returned 1 [0107.452] CreateFileW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0107.453] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ef38*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ef38*=0x2000) returned 1 [0107.453] GetFileSizeEx (in: hFile=0x5bc, lpFileSize=0x350ef24 | out: lpFileSize=0x350ef24*=1024) returned 1 [0107.453] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e5f28 [0107.454] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0107.471] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ef1c | out: lpNewFilePointer=0x0) returned 1 [0107.471] ReadFile (in: hFile=0x5bc, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350ef2c*=0x400, lpOverlapped=0x0) returned 1 [0107.473] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ef14 | out: lpNewFilePointer=0x0) returned 1 [0107.473] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.473] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.473] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ef1c | out: lpNewFilePointer=0x0) returned 1 [0107.473] WriteFile (in: hFile=0x5bc, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ef3c*=0x200, lpOverlapped=0x0) returned 1 [0107.474] WriteFile (in: hFile=0x5bc, lpBuffer=0x350eecc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x350eecc*, lpNumberOfBytesWritten=0x350ef3c*=0x18, lpOverlapped=0x0) returned 1 [0107.480] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0107.486] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e5f28 | out: hHeap=0x470000) returned 1 [0107.486] CloseHandle (hObject=0x5bc) returned 1 [0107.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cba000 [0107.487] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), lpNewFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG.avdn" (normalized: "c:\\users\\default\\ntuser.dat.log.avdn"), dwFlags=0x1) returned 1 [0107.488] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cba000 | out: hHeap=0x470000) returned 1 [0107.488] CryptDestroyKey (hKey=0x2c5f910) returned 1 [0107.489] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9fa8 | out: hHeap=0x470000) returned 1 [0107.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9fa8 [0107.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cba000 [0107.489] CreateFileW (lpFileName="C:\\\\Users\\Default\\041656-readme.html" (normalized: "c:\\users\\default\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0107.489] WriteFile (in: hFile=0x5bc, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350efe0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350efe0*=0xc78d, lpOverlapped=0x0) returned 1 [0107.492] CloseHandle (hObject=0x5bc) returned 1 [0107.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cba000 | out: hHeap=0x470000) returned 1 [0107.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9fa8 | out: hHeap=0x470000) returned 1 [0107.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9f50 | out: hHeap=0x470000) returned 1 [0107.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ef8 | out: hHeap=0x470000) returned 1 [0107.493] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9012aa61, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x62d46c20, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x2e400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0107.493] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.493] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ef8 [0107.494] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.494] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ef8 | out: hHeap=0x470000) returned 1 [0107.494] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.494] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ef8 [0107.494] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.494] GetLastError () returned 0x0 [0107.494] CreateFileW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0107.495] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ef48 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.495] ReadFile (in: hFile=0x5bc, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350ef40, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350ef40*=0x18, lpOverlapped=0x0) returned 1 [0107.513] CloseHandle (hObject=0x5bc) returned 1 [0107.513] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9fa8 [0107.513] RmStartSession () returned 0x0 [0107.516] RmRegisterResources () returned 0x0 [0107.521] RmGetList () returned 0x0 [0107.567] RmShutdown () returned 0x0 [0107.672] RmEndSession () returned 0x0 [0107.677] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350efe0 | out: phKey=0x350efe0*=0x2c5f890) returned 1 [0107.677] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1")) returned 0x22 [0107.677] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG1", dwFileAttributes=0x22) returned 1 [0107.677] CreateFileW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0107.677] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ef38*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ef38*=0x2000) returned 1 [0107.677] GetFileSizeEx (in: hFile=0x5bc, lpFileSize=0x350ef24 | out: lpFileSize=0x350ef24*=189440) returned 1 [0107.677] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e5f28 [0107.678] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0107.697] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ef1c | out: lpNewFilePointer=0x0) returned 1 [0107.697] ReadFile (in: hFile=0x5bc, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350ef2c*=0x2e400, lpOverlapped=0x0) returned 1 [0107.704] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ef14 | out: lpNewFilePointer=0x0) returned 1 [0107.704] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.704] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.704] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.704] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.705] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.705] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.705] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.705] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.705] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.705] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.706] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.706] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.706] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.706] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.706] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.706] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.706] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.707] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.707] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.707] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.707] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.707] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.707] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.707] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.708] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.708] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.708] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.708] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.708] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.708] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.708] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.708] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.709] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.709] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.709] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.709] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.709] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.709] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.709] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.710] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.710] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.710] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.710] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.710] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.710] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.710] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.711] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e5f40*, pdwDataLen=0x350ef34*=0x2000) returned 1 [0107.711] WriteFile (in: hFile=0x5bc, lpBuffer=0x30e5f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x30e5f40*, lpNumberOfBytesWritten=0x350ef3c*=0x2000, lpOverlapped=0x0) returned 1 [0107.711] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ef1c | out: lpNewFilePointer=0x0) returned 1 [0107.711] WriteFile (in: hFile=0x5bc, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ef3c*=0x200, lpOverlapped=0x0) returned 1 [0107.712] WriteFile (in: hFile=0x5bc, lpBuffer=0x350eecc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x350eecc*, lpNumberOfBytesWritten=0x350ef3c*=0x18, lpOverlapped=0x0) returned 1 [0107.718] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0107.727] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e5f28 | out: hHeap=0x470000) returned 1 [0107.727] CloseHandle (hObject=0x5bc) returned 1 [0107.730] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cba000 [0107.730] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG1.avdn" (normalized: "c:\\users\\default\\ntuser.dat.log1.avdn"), dwFlags=0x1) returned 1 [0107.731] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cba000 | out: hHeap=0x470000) returned 1 [0107.731] CryptDestroyKey (hKey=0x2c5f890) returned 1 [0107.732] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9fa8 | out: hHeap=0x470000) returned 1 [0107.732] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9fa8 [0107.732] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.732] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cba000 [0107.732] CreateFileW (lpFileName="C:\\\\Users\\Default\\041656-readme.html" (normalized: "c:\\users\\default\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0107.734] WriteFile (in: hFile=0x5bc, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350efe0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350efe0*=0xc78d, lpOverlapped=0x0) returned 1 [0107.736] CloseHandle (hObject=0x5bc) returned 1 [0107.737] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cba000 | out: hHeap=0x470000) returned 1 [0107.738] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9fa8 | out: hHeap=0x470000) returned 1 [0107.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9f50 | out: hHeap=0x470000) returned 1 [0107.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ef8 | out: hHeap=0x470000) returned 1 [0107.739] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9012aa61, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x9012aa61, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0107.739] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.739] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ef8 [0107.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.740] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ef8 | out: hHeap=0x470000) returned 1 [0107.740] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0107.740] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ef8 [0107.740] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0107.740] GetLastError () returned 0xb7 [0107.740] CreateFileW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0107.741] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ef48 | out: lpNewFilePointer=0xffffffff) returned 0 [0107.741] CloseHandle (hObject=0x5bc) returned 1 [0107.741] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9fa8 [0107.741] RmStartSession () returned 0x0 [0107.744] RmRegisterResources () returned 0x0 [0107.754] RmGetList () returned 0x0 [0107.837] RmShutdown () returned 0x0 [0108.000] RmEndSession () returned 0x0 [0108.005] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350efe0 | out: phKey=0x350efe0*=0x2c5f910) returned 1 [0108.005] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2")) returned 0x22 [0108.006] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG2", dwFileAttributes=0x22) returned 1 [0108.006] CreateFileW (lpFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0108.006] CryptEncrypt (in: hKey=0x2c5f910, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ef38*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ef38*=0x2000) returned 1 [0108.006] GetFileSizeEx (in: hFile=0x5bc, lpFileSize=0x350ef24 | out: lpFileSize=0x350ef24*=0) returned 1 [0108.006] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e5f28 [0108.007] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0108.026] SetFilePointerEx (in: hFile=0x5bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ef1c | out: lpNewFilePointer=0x0) returned 1 [0108.026] WriteFile (in: hFile=0x5bc, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ef3c*=0x200, lpOverlapped=0x0) returned 1 [0108.028] WriteFile (in: hFile=0x5bc, lpBuffer=0x350eecc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ef3c, lpOverlapped=0x0 | out: lpBuffer=0x350eecc*, lpNumberOfBytesWritten=0x350ef3c*=0x18, lpOverlapped=0x0) returned 1 [0108.034] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0108.043] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e5f28 | out: hHeap=0x470000) returned 1 [0108.043] CloseHandle (hObject=0x5bc) returned 1 [0108.044] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cba000 [0108.044] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="C:\\\\Users\\Default\\NTUSER.DAT.LOG2.avdn" (normalized: "c:\\users\\default\\ntuser.dat.log2.avdn"), dwFlags=0x1) returned 1 [0108.046] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cba000 | out: hHeap=0x470000) returned 1 [0108.046] CryptDestroyKey (hKey=0x2c5f910) returned 1 [0108.046] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9fa8 | out: hHeap=0x470000) returned 1 [0108.046] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9fa8 [0108.046] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.046] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cba000 [0108.046] CreateFileW (lpFileName="C:\\\\Users\\Default\\041656-readme.html" (normalized: "c:\\users\\default\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0108.048] WriteFile (in: hFile=0x5bc, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350efe0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350efe0*=0xc78d, lpOverlapped=0x0) returned 1 [0108.050] CloseHandle (hObject=0x5bc) returned 1 [0108.051] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cba000 | out: hHeap=0x470000) returned 1 [0108.051] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.051] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9fa8 | out: hHeap=0x470000) returned 1 [0108.051] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9f50 | out: hHeap=0x470000) returned 1 [0108.051] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ef8 | out: hHeap=0x470000) returned 1 [0108.051] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8d30919, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8d30919, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8ead6dc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0108.052] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8da2d3a, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8da2d3a, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8e8757c, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0108.052] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8deeffb, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8deeffb, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8ead6dc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0108.052] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x629b4b20, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0108.052] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0108.052] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.052] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.052] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.052] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.052] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.053] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.053] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.053] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.053] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Pictures\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f910 [0108.054] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.054] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.054] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.054] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0108.054] FindClose (in: hFindFile=0x2c5f910 | out: hFindFile=0x2c5f910) returned 1 [0108.054] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.054] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0108.054] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0108.054] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0108.055] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.055] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.055] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.055] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.055] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.055] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.055] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.055] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.056] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Saved Games\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f910 [0108.056] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.056] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.056] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.056] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0108.057] FindClose (in: hFindFile=0x2c5f910 | out: hFindFile=0x2c5f910) returned 1 [0108.057] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.057] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0108.057] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.057] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.057] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.057] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.058] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.058] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.058] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.058] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.058] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Searches\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f910 [0108.061] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.061] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x629b4b20, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.061] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.061] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0108.061] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.061] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0108.061] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.062] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0108.062] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.062] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0108.062] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.062] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0108.062] GetLastError () returned 0x12 [0108.062] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f9048 [0108.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350ecdc, cbMultiByte=10, lpWideCharStr=0x30f9048, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0108.063] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f9048 | out: hHeap=0x470000) returned 1 [0108.063] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0108.063] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0108.063] CreateFileW (lpFileName="C:\\\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.063] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ec50 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.064] ReadFile (in: hFile=0x5d4, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350ec48, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350ec48*=0x18, lpOverlapped=0x0) returned 1 [0108.065] CloseHandle (hObject=0x5d4) returned 1 [0108.065] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x30e5f40 [0108.065] RmStartSession () returned 0x0 [0108.067] RmRegisterResources () returned 0x0 [0108.072] RmGetList () returned 0x0 [0108.149] RmShutdown () returned 0x0 [0108.234] RmEndSession () returned 0x0 [0108.238] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350ece8 | out: phKey=0x350ece8*=0x2c5f8d0) returned 1 [0108.238] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms")) returned 0x23 [0108.238] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Searches\\Everywhere.search-ms", dwFileAttributes=0x22) returned 1 [0108.238] CreateFileW (lpFileName="C:\\\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.238] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ec40*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ec40*=0x2000) returned 1 [0108.238] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x350ec2c | out: lpFileSize=0x350ec2c*=248) returned 1 [0108.238] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f28 [0108.239] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0108.254] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.255] ReadFile (in: hFile=0x5d4, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350ec34, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350ec34*=0xf8, lpOverlapped=0x0) returned 1 [0108.256] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec1c | out: lpNewFilePointer=0x0) returned 1 [0108.256] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.256] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.256] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.256] WriteFile (in: hFile=0x5d4, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ec44*=0x200, lpOverlapped=0x0) returned 1 [0108.256] WriteFile (in: hFile=0x5d4, lpBuffer=0x350ebd4*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x350ebd4*, lpNumberOfBytesWritten=0x350ec44*=0x18, lpOverlapped=0x0) returned 1 [0108.267] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0108.272] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f28 | out: hHeap=0x470000) returned 1 [0108.272] CloseHandle (hObject=0x5d4) returned 1 [0108.273] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0108.274] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), lpNewFileName="C:\\\\Users\\Default\\Searches\\Everywhere.search-ms.avdn" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms.avdn"), dwFlags=0x1) returned 1 [0108.274] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0108.275] CryptDestroyKey (hKey=0x2c5f8d0) returned 1 [0108.275] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e5f40 | out: hHeap=0x470000) returned 1 [0108.275] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x30e5f40 [0108.275] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.275] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x30e5fa8 [0108.275] CreateFileW (lpFileName="C:\\\\Users\\Default\\Searches\\041656-readme.html" (normalized: "c:\\users\\default\\searches\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.275] WriteFile (in: hFile=0x5d4, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350ece8, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350ece8*=0xc78d, lpOverlapped=0x0) returned 1 [0108.278] CloseHandle (hObject=0x5d4) returned 1 [0108.279] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e5fa8 | out: hHeap=0x470000) returned 1 [0108.279] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.279] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e5f40 | out: hHeap=0x470000) returned 1 [0108.279] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0108.280] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0108.280] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0108.280] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.280] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0108.280] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.280] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0108.280] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.280] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0108.281] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.281] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0108.281] GetLastError () returned 0x0 [0108.281] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f8ff8 [0108.281] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350ecdc, cbMultiByte=10, lpWideCharStr=0x30f8ff8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0108.281] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f8ff8 | out: hHeap=0x470000) returned 1 [0108.281] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0108.281] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0108.281] CreateFileW (lpFileName="C:\\\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.282] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ec50 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.282] ReadFile (in: hFile=0x5d4, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350ec48, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350ec48*=0x18, lpOverlapped=0x0) returned 1 [0108.283] CloseHandle (hObject=0x5d4) returned 1 [0108.283] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0108.283] RmStartSession () returned 0x0 [0108.285] RmRegisterResources () returned 0x0 [0108.289] RmGetList () returned 0x0 [0108.367] RmShutdown () returned 0x0 [0108.439] RmEndSession () returned 0x0 [0108.443] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350ece8 | out: phKey=0x350ece8*=0x2c5f950) returned 1 [0108.443] GetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms")) returned 0x23 [0108.443] SetFileAttributesW (lpFileName="C:\\\\Users\\Default\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x22) returned 1 [0108.444] CreateFileW (lpFileName="C:\\\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.444] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ec40*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ec40*=0x2000) returned 1 [0108.444] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x350ec2c | out: lpFileSize=0x350ec2c*=248) returned 1 [0108.444] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f28 [0108.444] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0108.460] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.460] ReadFile (in: hFile=0x5d4, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350ec34, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350ec34*=0xf8, lpOverlapped=0x0) returned 1 [0108.461] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec1c | out: lpNewFilePointer=0x0) returned 1 [0108.461] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.461] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.462] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.462] WriteFile (in: hFile=0x5d4, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ec44*=0x200, lpOverlapped=0x0) returned 1 [0108.462] WriteFile (in: hFile=0x5d4, lpBuffer=0x350ebd4*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x350ebd4*, lpNumberOfBytesWritten=0x350ec44*=0x18, lpOverlapped=0x0) returned 1 [0108.468] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0108.474] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f28 | out: hHeap=0x470000) returned 1 [0108.474] CloseHandle (hObject=0x5d4) returned 1 [0108.476] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0108.476] MoveFileExW (lpExistingFileName="C:\\\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), lpNewFileName="C:\\\\Users\\Default\\Searches\\Indexed Locations.search-ms.avdn" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms.avdn"), dwFlags=0x1) returned 1 [0108.477] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0108.477] CryptDestroyKey (hKey=0x2c5f950) returned 1 [0108.477] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0108.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0108.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0108.477] CreateFileW (lpFileName="C:\\\\Users\\Default\\Searches\\041656-readme.html" (normalized: "c:\\users\\default\\searches\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.479] WriteFile (in: hFile=0x5d4, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350ece8, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350ece8*=0xc78d, lpOverlapped=0x0) returned 1 [0108.481] CloseHandle (hObject=0x5d4) returned 1 [0108.482] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0108.483] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.483] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0108.483] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0108.483] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0108.483] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0108.484] FindClose (in: hFindFile=0x2c5f910 | out: hFindFile=0x2c5f910) returned 1 [0108.484] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.484] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0108.484] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0108.484] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0108.484] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0108.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.484] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.485] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.485] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.485] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default\\Videos\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f910 [0108.486] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.486] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.486] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.486] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62a00de0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0108.486] FindClose (in: hFindFile=0x2c5f910 | out: hFindFile=0x2c5f910) returned 1 [0108.486] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.486] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62a00de0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0108.486] FindClose (in: hFindFile=0x2c5f850 | out: hFindFile=0x2c5f850) returned 1 [0108.487] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb98 | out: hHeap=0x470000) returned 1 [0108.487] FindNextFileW (in: hFindFile=0x2c5f810, lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0108.487] FindNextFileW (in: hFindFile=0x2c5f810, lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.487] FindNextFileW (in: hFindFile=0x2c5f810, lpFindFileData=0x350f460 | out: lpFindFileData=0x350f460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x791634f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xf29f86d0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf29f86d0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kEecfMwgj", cAlternateFileName="KEECFM~1")) returned 1 [0108.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0108.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb98 [0108.487] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0108.487] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbb98 | out: hHeap=0x470000) returned 1 [0108.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0108.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbb98 [0108.487] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0108.488] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.488] FindFirstFileW (in: lpFileName="C:\\\\Users\\kEecfMwgj\\*", lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x791634f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xf29f86d0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf29f86d0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f850 [0108.488] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.488] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x791634f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xf29f86d0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf29f86d0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.488] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79698510, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0108.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.489] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.489] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.489] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x79d70450, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79d70450, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x79d70450, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0108.489] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7996bf30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7e7f6e20, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0108.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.489] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.490] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.490] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.490] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.490] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.490] FindFirstFileW (in: lpFileName="C:\\\\Users\\kEecfMwgj\\Contacts\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7996bf30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7e7f6e20, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f910 [0108.491] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.491] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7996bf30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7e7f6e20, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.492] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7996bf30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7996bf30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0108.492] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.492] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0108.492] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0108.493] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.493] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0108.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.493] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0108.493] GetLastError () returned 0x12 [0108.494] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90c0 [0108.494] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350ecdc, cbMultiByte=10, lpWideCharStr=0x30f90c0, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0108.494] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90c0 | out: hHeap=0x470000) returned 1 [0108.495] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0108.495] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0108.495] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Contacts\\Administrator.contact" (normalized: "c:\\users\\keecfmwgj\\contacts\\administrator.contact"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.496] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ec50 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.496] ReadFile (in: hFile=0x5d4, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350ec48, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350ec48*=0x18, lpOverlapped=0x0) returned 1 [0108.501] CloseHandle (hObject=0x5d4) returned 1 [0108.501] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0108.501] RmStartSession () returned 0x0 [0108.503] RmRegisterResources () returned 0x0 [0108.507] RmGetList () returned 0x0 [0108.542] RmShutdown () returned 0x0 [0108.607] RmEndSession () returned 0x0 [0108.610] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350ece8 | out: phKey=0x350ece8*=0x2c5f8d0) returned 1 [0108.610] GetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Contacts\\Administrator.contact" (normalized: "c:\\users\\keecfmwgj\\contacts\\administrator.contact")) returned 0x20 [0108.611] SetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Contacts\\Administrator.contact", dwFileAttributes=0x20) returned 1 [0108.611] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Contacts\\Administrator.contact" (normalized: "c:\\users\\keecfmwgj\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.611] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ec40*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ec40*=0x2000) returned 1 [0108.611] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x350ec2c | out: lpFileSize=0x350ec2c*=68382) returned 1 [0108.611] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f28 [0108.612] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0108.628] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.628] ReadFile (in: hFile=0x5d4, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350ec34, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350ec34*=0x10b1e, lpOverlapped=0x0) returned 1 [0108.630] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec1c | out: lpNewFilePointer=0x0) returned 1 [0108.630] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.630] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.631] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.631] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.631] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.631] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.631] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.631] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.631] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.631] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.632] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.632] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.632] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.632] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.632] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.632] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.632] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.632] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.633] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.633] WriteFile (in: hFile=0x5d4, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ec44*=0x200, lpOverlapped=0x0) returned 1 [0108.633] WriteFile (in: hFile=0x5d4, lpBuffer=0x350ebd4*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x350ebd4*, lpNumberOfBytesWritten=0x350ec44*=0x18, lpOverlapped=0x0) returned 1 [0108.642] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0108.651] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f28 | out: hHeap=0x470000) returned 1 [0108.651] CloseHandle (hObject=0x5d4) returned 1 [0108.652] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5ea60 [0108.652] MoveFileExW (lpExistingFileName="C:\\\\Users\\kEecfMwgj\\Contacts\\Administrator.contact" (normalized: "c:\\users\\keecfmwgj\\contacts\\administrator.contact"), lpNewFileName="C:\\\\Users\\kEecfMwgj\\Contacts\\Administrator.contact.avdn" (normalized: "c:\\users\\keecfmwgj\\contacts\\administrator.contact.avdn"), dwFlags=0x1) returned 1 [0108.653] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5ea60 | out: hHeap=0x470000) returned 1 [0108.653] CryptDestroyKey (hKey=0x2c5f8d0) returned 1 [0108.653] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0108.654] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0108.654] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.654] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0108.654] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Contacts\\041656-readme.html" (normalized: "c:\\users\\keecfmwgj\\contacts\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.654] WriteFile (in: hFile=0x5d4, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350ece8, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350ece8*=0xc78d, lpOverlapped=0x0) returned 1 [0108.656] CloseHandle (hObject=0x5d4) returned 1 [0108.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0108.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0108.658] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0108.658] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0108.658] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7996bf30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7996bf30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7e7f9530, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.658] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7996bf30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7996bf30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7e7f9530, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0108.658] FindClose (in: hFindFile=0x2c5f910 | out: hFindFile=0x2c5f910) returned 1 [0108.658] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.658] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x79d70450, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79d70450, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x79d70450, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0108.658] FindNextFileW (in: hFindFile=0x2c5f850, lpFindFileData=0x350f168 | out: lpFindFileData=0x350f168*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x4b022d20, ftLastAccessTime.dwHighDateTime=0x1d7fb45, ftLastWriteTime.dwLowDateTime=0x4b022d20, ftLastWriteTime.dwHighDateTime=0x1d7fb45, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0108.658] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.659] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.659] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.659] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c8a110 | out: hHeap=0x470000) returned 1 [0108.659] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x30) returned 0x2cbbc78 [0108.659] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x46) returned 0x2c8a110 [0108.659] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cbbc78 | out: hHeap=0x470000) returned 1 [0108.659] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.659] FindFirstFileW (in: lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\*", lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x4b022d20, ftLastAccessTime.dwHighDateTime=0x1d7fb45, ftLastWriteTime.dwLowDateTime=0x4b022d20, ftLastWriteTime.dwHighDateTime=0x1d7fb45, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f910 [0108.660] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.660] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x4b022d20, ftLastAccessTime.dwHighDateTime=0x1d7fb45, ftLastWriteTime.dwLowDateTime=0x4b022d20, ftLastWriteTime.dwHighDateTime=0x1d7fb45, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.660] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8eb7d7d0, ftCreationTime.dwHighDateTime=0x1d7dc01, ftLastAccessTime.dwLowDateTime=0xd047b450, ftLastAccessTime.dwHighDateTime=0x1d7e619, ftLastWriteTime.dwLowDateTime=0xd047b450, ftLastWriteTime.dwHighDateTime=0x1d7e619, nFileSizeHigh=0x0, nFileSizeLow=0x62a, dwReserved0=0x0, dwReserved1=0x0, cFileName="-Czpv.mp3", cAlternateFileName="")) returned 1 [0108.660] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.660] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0108.660] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.660] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0108.660] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.661] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0108.661] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.661] GetLastError () returned 0x12 [0108.661] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0108.661] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350ecdc, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0108.661] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0108.661] GetLastError () returned 0x12 [0108.661] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ef8 [0108.661] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-Czpv.mp3" (normalized: "c:\\users\\keecfmwgj\\desktop\\-czpv.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.662] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ec50 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.662] ReadFile (in: hFile=0x5d4, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350ec48, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350ec48*=0x18, lpOverlapped=0x0) returned 1 [0108.663] CloseHandle (hObject=0x5d4) returned 1 [0108.663] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9f50 [0108.663] RmStartSession () returned 0x0 [0108.665] RmRegisterResources () returned 0x0 [0108.670] RmGetList () returned 0x0 [0108.702] RmShutdown () returned 0x0 [0108.774] RmEndSession () returned 0x0 [0108.780] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350ece8 | out: phKey=0x350ece8*=0x2c5f950) returned 1 [0108.780] GetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-Czpv.mp3" (normalized: "c:\\users\\keecfmwgj\\desktop\\-czpv.mp3")) returned 0x20 [0108.780] SetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-Czpv.mp3", dwFileAttributes=0x20) returned 1 [0108.783] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-Czpv.mp3" (normalized: "c:\\users\\keecfmwgj\\desktop\\-czpv.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.783] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ec40*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ec40*=0x2000) returned 1 [0108.783] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x350ec2c | out: lpFileSize=0x350ec2c*=1578) returned 1 [0108.783] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f28 [0108.784] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0108.804] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.804] ReadFile (in: hFile=0x5d4, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350ec34, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350ec34*=0x62a, lpOverlapped=0x0) returned 1 [0108.806] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec1c | out: lpNewFilePointer=0x0) returned 1 [0108.806] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.807] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.807] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.807] WriteFile (in: hFile=0x5d4, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ec44*=0x200, lpOverlapped=0x0) returned 1 [0108.808] WriteFile (in: hFile=0x5d4, lpBuffer=0x350ebd4*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x350ebd4*, lpNumberOfBytesWritten=0x350ec44*=0x18, lpOverlapped=0x0) returned 1 [0108.814] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0108.821] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f28 | out: hHeap=0x470000) returned 1 [0108.821] CloseHandle (hObject=0x5d4) returned 1 [0108.823] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0108.823] MoveFileExW (lpExistingFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-Czpv.mp3" (normalized: "c:\\users\\keecfmwgj\\desktop\\-czpv.mp3"), lpNewFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-Czpv.mp3.avdn" (normalized: "c:\\users\\keecfmwgj\\desktop\\-czpv.mp3.avdn"), dwFlags=0x1) returned 1 [0108.825] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0108.825] CryptDestroyKey (hKey=0x2c5f950) returned 1 [0108.825] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9f50 | out: hHeap=0x470000) returned 1 [0108.825] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9f50 [0108.825] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.825] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0108.825] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\041656-readme.html" (normalized: "c:\\users\\keecfmwgj\\desktop\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.826] WriteFile (in: hFile=0x5d4, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350ece8, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350ece8*=0xc78d, lpOverlapped=0x0) returned 1 [0108.828] CloseHandle (hObject=0x5d4) returned 1 [0108.829] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0108.829] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.829] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9f50 | out: hHeap=0x470000) returned 1 [0108.830] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ef8 | out: hHeap=0x470000) returned 1 [0108.830] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0108.830] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xceb31fe0, ftCreationTime.dwHighDateTime=0x1d7e640, ftLastAccessTime.dwLowDateTime=0x873e7af0, ftLastAccessTime.dwHighDateTime=0x1d7e650, ftLastWriteTime.dwLowDateTime=0x873e7af0, ftLastWriteTime.dwHighDateTime=0x1d7e650, nFileSizeHigh=0x0, nFileSizeLow=0x980f, dwReserved0=0x0, dwReserved1=0x0, cFileName="-ozBRluaHqu9LIfa7.flv", cAlternateFileName="-OZBRL~1.FLV")) returned 1 [0108.830] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.830] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0108.830] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.830] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0108.830] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0108.830] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0108.830] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0108.830] GetLastError () returned 0x0 [0108.831] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0108.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350ecdc, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0108.831] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0108.831] GetLastError () returned 0x0 [0108.831] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0108.831] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-ozBRluaHqu9LIfa7.flv" (normalized: "c:\\users\\keecfmwgj\\desktop\\-ozbrluahqu9lifa7.flv"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.831] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ec50 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.831] ReadFile (in: hFile=0x5d4, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350ec48, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350ec48*=0x18, lpOverlapped=0x0) returned 1 [0108.832] CloseHandle (hObject=0x5d4) returned 1 [0108.832] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0108.832] RmStartSession () returned 0x0 [0108.834] RmRegisterResources () returned 0x0 [0108.838] RmGetList () returned 0x0 [0108.878] RmShutdown () returned 0x0 [0108.949] RmEndSession () returned 0x0 [0108.953] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350ece8 | out: phKey=0x350ece8*=0x2c5f8d0) returned 1 [0108.953] GetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-ozBRluaHqu9LIfa7.flv" (normalized: "c:\\users\\keecfmwgj\\desktop\\-ozbrluahqu9lifa7.flv")) returned 0x20 [0108.953] SetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-ozBRluaHqu9LIfa7.flv", dwFileAttributes=0x20) returned 1 [0108.954] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-ozBRluaHqu9LIfa7.flv" (normalized: "c:\\users\\keecfmwgj\\desktop\\-ozbrluahqu9lifa7.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0108.954] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ec40*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ec40*=0x2000) returned 1 [0108.954] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x350ec2c | out: lpFileSize=0x350ec2c*=38927) returned 1 [0108.954] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f28 [0108.954] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0108.973] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.973] ReadFile (in: hFile=0x5d4, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350ec34, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350ec34*=0x980f, lpOverlapped=0x0) returned 1 [0108.975] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec1c | out: lpNewFilePointer=0x0) returned 1 [0108.975] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.975] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.976] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.976] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.976] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.976] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.976] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.976] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.977] CryptEncrypt (in: hKey=0x2c5f8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0108.977] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0108.977] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0108.977] WriteFile (in: hFile=0x5d4, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ec44*=0x200, lpOverlapped=0x0) returned 1 [0108.977] WriteFile (in: hFile=0x5d4, lpBuffer=0x350ebd4*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x350ebd4*, lpNumberOfBytesWritten=0x350ec44*=0x18, lpOverlapped=0x0) returned 1 [0108.983] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0109.006] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f28 | out: hHeap=0x470000) returned 1 [0109.006] CloseHandle (hObject=0x5d4) returned 1 [0109.007] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5ea60 [0109.008] MoveFileExW (lpExistingFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-ozBRluaHqu9LIfa7.flv" (normalized: "c:\\users\\keecfmwgj\\desktop\\-ozbrluahqu9lifa7.flv"), lpNewFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\-ozBRluaHqu9LIfa7.flv.avdn" (normalized: "c:\\users\\keecfmwgj\\desktop\\-ozbrluahqu9lifa7.flv.avdn"), dwFlags=0x1) returned 1 [0109.009] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5ea60 | out: hHeap=0x470000) returned 1 [0109.009] CryptDestroyKey (hKey=0x2c5f8d0) returned 1 [0109.010] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0109.010] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e808 [0109.010] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0109.010] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c47418 [0109.010] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\041656-readme.html" (normalized: "c:\\users\\keecfmwgj\\desktop\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0109.013] WriteFile (in: hFile=0x5d4, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350ece8, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350ece8*=0xc78d, lpOverlapped=0x0) returned 1 [0109.015] CloseHandle (hObject=0x5d4) returned 1 [0109.017] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0109.017] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0109.018] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e808 | out: hHeap=0x470000) returned 1 [0109.018] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0109.018] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0109.018] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x467b82a0, ftCreationTime.dwHighDateTime=0x1d7de6d, ftLastAccessTime.dwLowDateTime=0x36b2630, ftLastAccessTime.dwHighDateTime=0x1d7e0c2, ftLastWriteTime.dwLowDateTime=0x36b2630, ftLastWriteTime.dwHighDateTime=0x1d7e0c2, nFileSizeHigh=0x0, nFileSizeLow=0xb54c, dwReserved0=0x0, dwReserved1=0x0, cFileName="05Gh.mkv", cAlternateFileName="")) returned 1 [0109.018] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0109.018] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0109.019] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0109.019] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0109.019] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0109.020] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0109.020] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0109.020] GetLastError () returned 0xb7 [0109.020] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0109.020] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350ecdc, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0109.020] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0109.020] GetLastError () returned 0xb7 [0109.021] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9ef8 [0109.021] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\05Gh.mkv" (normalized: "c:\\users\\keecfmwgj\\desktop\\05gh.mkv"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0109.021] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350ec50 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.021] ReadFile (in: hFile=0x5d4, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350ec48, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350ec48*=0x18, lpOverlapped=0x0) returned 1 [0109.022] CloseHandle (hObject=0x5d4) returned 1 [0109.022] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9f50 [0109.022] RmStartSession () returned 0x0 [0109.025] RmRegisterResources () returned 0x0 [0109.031] RmGetList () returned 0x0 [0109.126] RmShutdown () returned 0x0 [0109.367] RmEndSession () returned 0x0 [0109.371] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350ece8 | out: phKey=0x350ece8*=0x2c5f950) returned 1 [0109.371] GetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\05Gh.mkv" (normalized: "c:\\users\\keecfmwgj\\desktop\\05gh.mkv")) returned 0x20 [0109.372] SetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\05Gh.mkv", dwFileAttributes=0x20) returned 1 [0109.374] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\05Gh.mkv" (normalized: "c:\\users\\keecfmwgj\\desktop\\05gh.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0109.374] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350ec40*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350ec40*=0x2000) returned 1 [0109.374] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x350ec2c | out: lpFileSize=0x350ec2c*=46412) returned 1 [0109.374] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e6f28 [0109.375] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0109.410] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0109.410] ReadFile (in: hFile=0x5d4, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350ec34, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350ec34*=0xb54c, lpOverlapped=0x0) returned 1 [0109.420] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec1c | out: lpNewFilePointer=0x0) returned 1 [0109.420] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0109.420] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0109.421] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0109.421] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0109.421] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0109.421] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0109.421] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0109.422] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0109.422] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0109.434] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0109.435] CryptEncrypt (in: hKey=0x2c5f950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e6f40*, pdwDataLen=0x350ec3c*=0x2000) returned 1 [0109.435] WriteFile (in: hFile=0x5d4, lpBuffer=0x30e6f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x30e6f40*, lpNumberOfBytesWritten=0x350ec44*=0x2000, lpOverlapped=0x0) returned 1 [0109.435] SetFilePointerEx (in: hFile=0x5d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350ec24 | out: lpNewFilePointer=0x0) returned 1 [0109.435] WriteFile (in: hFile=0x5d4, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350ec44*=0x200, lpOverlapped=0x0) returned 1 [0109.436] WriteFile (in: hFile=0x5d4, lpBuffer=0x350ebd4*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350ec44, lpOverlapped=0x0 | out: lpBuffer=0x350ebd4*, lpNumberOfBytesWritten=0x350ec44*=0x18, lpOverlapped=0x0) returned 1 [0109.436] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0109.443] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e6f28 | out: hHeap=0x470000) returned 1 [0109.443] CloseHandle (hObject=0x5d4) returned 1 [0109.445] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0109.445] MoveFileExW (lpExistingFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\05Gh.mkv" (normalized: "c:\\users\\keecfmwgj\\desktop\\05gh.mkv"), lpNewFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\05Gh.mkv.avdn" (normalized: "c:\\users\\keecfmwgj\\desktop\\05gh.mkv.avdn"), dwFlags=0x1) returned 1 [0109.449] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0109.449] CryptDestroyKey (hKey=0x2c5f950) returned 1 [0109.450] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9f50 | out: hHeap=0x470000) returned 1 [0109.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x50) returned 0x2cb9f50 [0109.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0109.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0109.450] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\041656-readme.html" (normalized: "c:\\users\\keecfmwgj\\desktop\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0109.452] WriteFile (in: hFile=0x5d4, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350ece8, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350ece8*=0xc78d, lpOverlapped=0x0) returned 1 [0109.454] CloseHandle (hObject=0x5d4) returned 1 [0109.455] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0109.455] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0109.455] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9f50 | out: hHeap=0x470000) returned 1 [0109.456] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb9ef8 | out: hHeap=0x470000) returned 1 [0109.456] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0109.456] FindNextFileW (in: hFindFile=0x2c5f910, lpFindFileData=0x350ee70 | out: lpFindFileData=0x350ee70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bbb5f0, ftCreationTime.dwHighDateTime=0x1d7d958, ftLastAccessTime.dwLowDateTime=0xe785a860, ftLastAccessTime.dwHighDateTime=0x1d7e02f, ftLastWriteTime.dwLowDateTime=0xe785a860, ftLastWriteTime.dwHighDateTime=0x1d7e02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3NR2RNc6BbR", cAlternateFileName="3NR2RN~1")) returned 1 [0109.456] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0109.456] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0109.456] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0109.456] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c47418 | out: hHeap=0x470000) returned 1 [0109.456] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x2c96900 [0109.456] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5e) returned 0x2c47418 [0109.456] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c96900 | out: hHeap=0x470000) returned 1 [0109.456] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0109.456] FindFirstFileW (in: lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\*", lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bbb5f0, ftCreationTime.dwHighDateTime=0x1d7d958, ftLastAccessTime.dwLowDateTime=0xe785a860, ftLastAccessTime.dwHighDateTime=0x1d7e02f, ftLastWriteTime.dwLowDateTime=0xe785a860, ftLastWriteTime.dwHighDateTime=0x1d7e02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x2c5f950 [0109.457] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0109.457] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24bbb5f0, ftCreationTime.dwHighDateTime=0x1d7d958, ftLastAccessTime.dwLowDateTime=0xe785a860, ftLastAccessTime.dwHighDateTime=0x1d7e02f, ftLastWriteTime.dwLowDateTime=0xe785a860, ftLastWriteTime.dwHighDateTime=0x1d7e02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0109.457] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce647170, ftCreationTime.dwHighDateTime=0x1d7e09f, ftLastAccessTime.dwLowDateTime=0xe2919e60, ftLastAccessTime.dwHighDateTime=0x1d7e0dc, ftLastWriteTime.dwLowDateTime=0xe2919e60, ftLastWriteTime.dwHighDateTime=0x1d7e0dc, nFileSizeHigh=0x0, nFileSizeLow=0x107cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="aFqKTEVkXz4.pps", cAlternateFileName="AFQKTE~1.PPS")) returned 1 [0109.457] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0109.457] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0109.457] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0109.457] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0109.457] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0109.457] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0109.457] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0109.457] GetLastError () returned 0xb7 [0109.457] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0109.457] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0109.457] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0109.457] GetLastError () returned 0xb7 [0109.458] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0109.458] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\aFqKTEVkXz4.pps" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\afqktevkxz4.pps"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0109.458] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.458] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0109.459] CloseHandle (hObject=0x5e8) returned 1 [0109.459] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0109.459] RmStartSession () returned 0x0 [0109.462] RmRegisterResources () returned 0x0 [0109.466] RmGetList () returned 0x0 [0109.515] RmShutdown () returned 0x0 [0109.637] RmEndSession () returned 0x0 [0109.641] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f990) returned 1 [0109.642] GetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\aFqKTEVkXz4.pps" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\afqktevkxz4.pps")) returned 0x20 [0109.642] SetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\aFqKTEVkXz4.pps", dwFileAttributes=0x20) returned 1 [0109.642] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\aFqKTEVkXz4.pps" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\afqktevkxz4.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0109.642] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0109.642] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=67533) returned 1 [0109.642] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e7f30 [0109.643] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0109.664] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0109.664] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x107cd, lpOverlapped=0x0) returned 1 [0109.667] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0109.667] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0109.667] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0109.669] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0109.669] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0109.669] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0109.669] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0109.670] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0109.670] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0109.670] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0109.670] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0109.670] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0109.670] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0109.670] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0109.671] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0109.671] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0109.671] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0109.671] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0109.671] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0109.671] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0109.672] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0109.672] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0109.672] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0109.679] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e7f30 | out: hHeap=0x470000) returned 1 [0109.679] CloseHandle (hObject=0x5e8) returned 1 [0109.680] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0109.681] MoveFileExW (lpExistingFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\aFqKTEVkXz4.pps" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\afqktevkxz4.pps"), lpNewFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\aFqKTEVkXz4.pps.avdn" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\afqktevkxz4.pps.avdn"), dwFlags=0x1) returned 1 [0109.686] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0109.686] CryptDestroyKey (hKey=0x2c5f990) returned 1 [0109.686] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0109.686] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0109.686] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0109.686] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0109.686] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\041656-readme.html" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0109.687] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0109.733] CloseHandle (hObject=0x5e8) returned 1 [0109.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0109.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0109.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0109.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0109.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0109.734] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7af125b0, ftCreationTime.dwHighDateTime=0x1d7e126, ftLastAccessTime.dwLowDateTime=0x70fe7320, ftLastAccessTime.dwHighDateTime=0x1d7e68d, ftLastWriteTime.dwLowDateTime=0x70fe7320, ftLastWriteTime.dwHighDateTime=0x1d7e68d, nFileSizeHigh=0x0, nFileSizeLow=0xf60, dwReserved0=0x0, dwReserved1=0x0, cFileName="JGMjgzsvl.swf", cAlternateFileName="JGMJGZ~1.SWF")) returned 1 [0109.735] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0109.735] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0109.735] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0109.735] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0109.735] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0109.735] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0109.735] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0109.735] GetLastError () returned 0x0 [0109.735] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0109.735] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0109.735] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0109.735] GetLastError () returned 0x0 [0109.735] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5e970 [0109.735] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\JGMjgzsvl.swf" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\jgmjgzsvl.swf"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0109.736] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.736] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0109.737] CloseHandle (hObject=0x5e8) returned 1 [0109.737] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0109.737] RmStartSession () returned 0x0 [0109.868] RmRegisterResources () returned 0x0 [0109.872] RmGetList () returned 0x0 [0109.945] RmShutdown () returned 0x0 [0110.065] RmEndSession () returned 0x0 [0110.068] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f890) returned 1 [0110.068] GetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\JGMjgzsvl.swf" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\jgmjgzsvl.swf")) returned 0x20 [0110.069] SetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\JGMjgzsvl.swf", dwFileAttributes=0x20) returned 1 [0110.069] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\JGMjgzsvl.swf" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\jgmjgzsvl.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0110.069] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0110.069] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=3936) returned 1 [0110.069] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e7f30 [0110.069] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0110.109] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0110.109] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0xf60, lpOverlapped=0x0) returned 1 [0110.111] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0110.111] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0110.111] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0110.111] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0110.111] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0110.111] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0110.111] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0110.116] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e7f30 | out: hHeap=0x470000) returned 1 [0110.117] CloseHandle (hObject=0x5e8) returned 1 [0110.118] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0110.118] MoveFileExW (lpExistingFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\JGMjgzsvl.swf" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\jgmjgzsvl.swf"), lpNewFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\JGMjgzsvl.swf.avdn" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\jgmjgzsvl.swf.avdn"), dwFlags=0x1) returned 1 [0110.120] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0110.120] CryptDestroyKey (hKey=0x2c5f890) returned 1 [0110.120] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0110.120] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x70) returned 0x2c5eb50 [0110.120] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0110.120] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0110.120] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\041656-readme.html" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0110.121] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0110.122] CloseHandle (hObject=0x5e8) returned 1 [0110.123] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0110.123] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0110.123] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5eb50 | out: hHeap=0x470000) returned 1 [0110.123] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c5e970 | out: hHeap=0x470000) returned 1 [0110.123] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0110.123] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c9b4100, ftCreationTime.dwHighDateTime=0x1d7e6f8, ftLastAccessTime.dwLowDateTime=0x9d1819c0, ftLastAccessTime.dwHighDateTime=0x1d7e719, ftLastWriteTime.dwLowDateTime=0x9d1819c0, ftLastWriteTime.dwHighDateTime=0x1d7e719, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MfvhZsjFMLaQe 59.mp3", cAlternateFileName="MFVHZS~1.MP3")) returned 1 [0110.123] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0110.123] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0110.123] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0110.123] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0110.123] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0110.123] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0110.123] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0110.123] GetLastError () returned 0xb7 [0110.124] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0110.124] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0110.124] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0110.124] GetLastError () returned 0xb7 [0110.124] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0110.124] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\MfvhZsjFMLaQe 59.mp3" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\mfvhzsjfmlaqe 59.mp3"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0110.124] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.124] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0110.125] CloseHandle (hObject=0x5e8) returned 1 [0110.125] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d55c0 [0110.125] RmStartSession () returned 0x0 [0110.127] RmRegisterResources () returned 0x0 [0110.131] RmGetList () returned 0x0 [0110.177] RmShutdown () returned 0x0 [0111.261] RmEndSession () returned 0x0 [0111.265] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f990) returned 1 [0111.265] GetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\MfvhZsjFMLaQe 59.mp3" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\mfvhzsjfmlaqe 59.mp3")) returned 0x20 [0111.265] SetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\MfvhZsjFMLaQe 59.mp3", dwFileAttributes=0x20) returned 1 [0111.265] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\MfvhZsjFMLaQe 59.mp3" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\mfvhzsjfmlaqe 59.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0111.265] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0111.265] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=2367) returned 1 [0111.266] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e7f30 [0111.266] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0111.282] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0111.282] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x93f, lpOverlapped=0x0) returned 1 [0111.283] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0111.283] CryptEncrypt (in: hKey=0x2c5f990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0111.283] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0111.284] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0111.284] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0111.284] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0111.284] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0111.360] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e7f30 | out: hHeap=0x470000) returned 1 [0111.360] CloseHandle (hObject=0x5e8) returned 1 [0111.361] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4bb0 [0111.361] MoveFileExW (lpExistingFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\MfvhZsjFMLaQe 59.mp3" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\mfvhzsjfmlaqe 59.mp3"), lpNewFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\MfvhZsjFMLaQe 59.mp3.avdn" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\mfvhzsjfmlaqe 59.mp3.avdn"), dwFlags=0x1) returned 1 [0111.362] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4bb0 | out: hHeap=0x470000) returned 1 [0111.362] CryptDestroyKey (hKey=0x2c5f990) returned 1 [0111.362] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d55c0 | out: hHeap=0x470000) returned 1 [0111.362] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d55c0 [0111.362] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0111.362] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d5648 [0111.362] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\041656-readme.html" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0111.364] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0111.365] CloseHandle (hObject=0x5e8) returned 1 [0111.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d5648 | out: hHeap=0x470000) returned 1 [0111.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0111.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d55c0 | out: hHeap=0x470000) returned 1 [0111.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0111.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0111.366] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1a4f900, ftCreationTime.dwHighDateTime=0x1d7e390, ftLastAccessTime.dwLowDateTime=0xb5f08fa0, ftLastAccessTime.dwHighDateTime=0x1d7e6f0, ftLastWriteTime.dwLowDateTime=0xb5f08fa0, ftLastWriteTime.dwHighDateTime=0x1d7e6f0, nFileSizeHigh=0x0, nFileSizeLow=0x1445b, dwReserved0=0x0, dwReserved1=0x0, cFileName="N5gxiC7mfninX7I.wav", cAlternateFileName="N5GXIC~1.WAV")) returned 1 [0111.366] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0111.366] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0111.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0111.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0111.366] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0111.366] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0111.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0111.367] GetLastError () returned 0xb7 [0111.367] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0111.367] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0111.367] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0111.367] GetLastError () returned 0xb7 [0111.367] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0111.367] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\N5gxiC7mfninX7I.wav" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\n5gxic7mfninx7i.wav"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0111.367] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.367] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0111.368] CloseHandle (hObject=0x5e8) returned 1 [0111.368] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d55c0 [0111.368] RmStartSession () returned 0x0 [0111.370] RmRegisterResources () returned 0x0 [0111.375] RmGetList () returned 0x0 [0111.745] RmShutdown () returned 0x0 [0112.183] RmEndSession () returned 0x0 [0112.187] CryptDuplicateKey (in: hKey=0x49b8e8, pdwReserved=0x0, dwFlags=0x0, phKey=0x350e9f0 | out: phKey=0x350e9f0*=0x2c5f890) returned 1 [0112.187] GetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\N5gxiC7mfninX7I.wav" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\n5gxic7mfninx7i.wav")) returned 0x20 [0112.187] SetFileAttributesW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\N5gxiC7mfninX7I.wav", dwFileAttributes=0x20) returned 1 [0112.188] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\N5gxiC7mfninX7I.wav" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\n5gxic7mfninx7i.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0112.188] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x350e948*=0x2000, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x350e948*=0x2000) returned 1 [0112.188] GetFileSizeEx (in: hFile=0x5e8, lpFileSize=0x350e934 | out: lpFileSize=0x350e934*=83035) returned 1 [0112.188] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2033) returned 0x30e7f30 [0112.189] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100033) returned 0x2ea0020 [0112.206] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0112.206] ReadFile (in: hFile=0x5e8, lpBuffer=0x2ea0040, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x350e93c, lpOverlapped=0x0 | out: lpBuffer=0x2ea0040*, lpNumberOfBytesRead=0x350e93c*=0x1445b, lpOverlapped=0x0) returned 1 [0112.278] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e924 | out: lpNewFilePointer=0x0) returned 1 [0112.278] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.278] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.278] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.279] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.279] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.279] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.279] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.279] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.279] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.279] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.280] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.280] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.280] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.280] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.280] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.280] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.280] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.281] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.281] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.281] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.281] CryptEncrypt (in: hKey=0x2c5f890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000, dwBufLen=0x2000 | out: pbData=0x30e7f40*, pdwDataLen=0x350e944*=0x2000) returned 1 [0112.281] WriteFile (in: hFile=0x5e8, lpBuffer=0x30e7f40*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x30e7f40*, lpNumberOfBytesWritten=0x350e94c*=0x2000, lpOverlapped=0x0) returned 1 [0112.281] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x350e92c | out: lpNewFilePointer=0x0) returned 1 [0112.282] WriteFile (in: hFile=0x5e8, lpBuffer=0x4baad8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x4baad8*, lpNumberOfBytesWritten=0x350e94c*=0x200, lpOverlapped=0x0) returned 1 [0112.282] WriteFile (in: hFile=0x5e8, lpBuffer=0x350e8dc*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x350e94c, lpOverlapped=0x0 | out: lpBuffer=0x350e8dc*, lpNumberOfBytesWritten=0x350e94c*=0x18, lpOverlapped=0x0) returned 1 [0112.282] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2ea0020 | out: hHeap=0x470000) returned 1 [0112.288] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30e7f30 | out: hHeap=0x470000) returned 1 [0112.288] CloseHandle (hObject=0x5e8) returned 1 [0112.290] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x90) returned 0x2cb4bb0 [0112.290] MoveFileExW (lpExistingFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\N5gxiC7mfninX7I.wav" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\n5gxic7mfninx7i.wav"), lpNewFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\N5gxiC7mfninX7I.wav.avdn" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\n5gxic7mfninx7i.wav.avdn"), dwFlags=0x1) returned 1 [0112.291] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4bb0 | out: hHeap=0x470000) returned 1 [0112.291] CryptDestroyKey (hKey=0x2c5f890) returned 1 [0112.291] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d55c0 | out: hHeap=0x470000) returned 1 [0112.291] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d55c0 [0112.291] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0112.291] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d5648 [0112.291] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\041656-readme.html" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\041656-readme.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0112.292] WriteFile (in: hFile=0x5e8, lpBuffer=0x49e540*, nNumberOfBytesToWrite=0xc78d, lpNumberOfBytesWritten=0x350e9f0, lpOverlapped=0x0 | out: lpBuffer=0x49e540*, lpNumberOfBytesWritten=0x350e9f0*=0xc78d, lpOverlapped=0x0) returned 1 [0112.294] CloseHandle (hObject=0x5e8) returned 1 [0112.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d5648 | out: hHeap=0x470000) returned 1 [0112.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0112.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d55c0 | out: hHeap=0x470000) returned 1 [0112.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d54b0 | out: hHeap=0x470000) returned 1 [0112.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0112.294] FindNextFileW (in: hFindFile=0x2c5f950, lpFindFileData=0x350eb78 | out: lpFindFileData=0x350eb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5acf2000, ftCreationTime.dwHighDateTime=0x1d7e781, ftLastAccessTime.dwLowDateTime=0x966059d0, ftLastAccessTime.dwHighDateTime=0x1d7e791, ftLastWriteTime.dwLowDateTime=0x966059d0, ftLastWriteTime.dwHighDateTime=0x1d7e791, nFileSizeHigh=0x0, nFileSizeLow=0xb8de, dwReserved0=0x0, dwReserved1=0x0, cFileName="RFJTv9x-gQ067-kfdq.ppt", cAlternateFileName="RFJTV9~1.PPT")) returned 1 [0112.294] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0112.294] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0112.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0112.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2cb4c48 | out: hHeap=0x470000) returned 1 [0112.294] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x60) returned 0x2c473b0 [0112.295] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8e) returned 0x2cb4c48 [0112.295] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2c473b0 | out: hHeap=0x470000) returned 1 [0112.295] GetLastError () returned 0xb7 [0112.295] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x30f90e8 [0112.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x8, lpMultiByteStr=0x350e9e4, cbMultiByte=10, lpWideCharStr=0x30f90e8, cchWideChar=10 | out: lpWideCharStr="bckgrd.bmp") returned 10 [0112.295] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x30f90e8 | out: hHeap=0x470000) returned 1 [0112.295] GetLastError () returned 0xb7 [0112.295] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d54b0 [0112.295] CreateFileW (lpFileName="C:\\\\Users\\kEecfMwgj\\Desktop\\3NR2RNc6BbR\\RFJTv9x-gQ067-kfdq.ppt" (normalized: "c:\\users\\keecfmwgj\\desktop\\3nr2rnc6bbr\\rfjtv9x-gq067-kfdq.ppt"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0112.295] SetFilePointerEx (in: hFile=0x5e8, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x350e958 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.295] ReadFile (in: hFile=0x5e8, lpBuffer=0x49d788, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x350e950, lpOverlapped=0x0 | out: lpBuffer=0x49d788*, lpNumberOfBytesRead=0x350e950*=0x18, lpOverlapped=0x0) returned 1 [0112.296] CloseHandle (hObject=0x5e8) returned 1 [0112.296] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x80) returned 0x4d55c0 [0112.296] RmStartSession () returned 0x0 [0112.298] RmRegisterResources () returned 0x0 [0112.302] RmGetList () returned 0x0 [0112.385] RmShutdown () Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xa35b000" os_pid = "0x360" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 400 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 401 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 402 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 403 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 404 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 405 start_va = 0xd0000 end_va = 0x136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 406 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 407 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 408 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 409 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 410 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 411 start_va = 0x190000 end_va = 0x19afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 412 start_va = 0x1a0000 end_va = 0x1acfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 413 start_va = 0x1b0000 end_va = 0x1b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskcomp.dll.mui" filename = "\\Windows\\System32\\en-US\\taskcomp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\taskcomp.dll.mui") Region: id = 414 start_va = 0x1c0000 end_va = 0x1c9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schedsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\schedsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\schedsvc.dll.mui") Region: id = 415 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 416 start_va = 0x1e0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 417 start_va = 0x2e0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 418 start_va = 0x3e0000 end_va = 0x3e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 419 start_va = 0x3f0000 end_va = 0x3f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 420 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 421 start_va = 0x410000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 422 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 423 start_va = 0x450000 end_va = 0x45dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 424 start_va = 0x460000 end_va = 0x467fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 425 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 426 start_va = 0x480000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 427 start_va = 0x610000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 428 start_va = 0x7a0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 429 start_va = 0x860000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 430 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 431 start_va = 0x8f0000 end_va = 0x90bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 432 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 433 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 434 start_va = 0x930000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 435 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 436 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 437 start_va = 0x960000 end_va = 0x966fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 438 start_va = 0x970000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 439 start_va = 0x980000 end_va = 0x985fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 440 start_va = 0x990000 end_va = 0x9a9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 441 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 442 start_va = 0x9c0000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 443 start_va = 0x9d0000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 444 start_va = 0xa50000 end_va = 0xab5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 445 start_va = 0xac0000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 446 start_va = 0xb40000 end_va = 0xb40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 447 start_va = 0xb50000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 448 start_va = 0xbd0000 end_va = 0xe9efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 449 start_va = 0xea0000 end_va = 0xea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wship6.dll.mui" filename = "\\Windows\\System32\\en-US\\wship6.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wship6.dll.mui") Region: id = 450 start_va = 0xeb0000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 451 start_va = 0xf30000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 452 start_va = 0xf40000 end_va = 0xfbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 453 start_va = 0xfc0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 454 start_va = 0xfd0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 455 start_va = 0xfe0000 end_va = 0xfe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 456 start_va = 0x1070000 end_va = 0x1071fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 457 start_va = 0x1080000 end_va = 0x1080fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 458 start_va = 0x1090000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 459 start_va = 0x10a0000 end_va = 0x111ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 460 start_va = 0x1120000 end_va = 0x1127fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 461 start_va = 0x1130000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 462 start_va = 0x1140000 end_va = 0x11bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 463 start_va = 0x11c0000 end_va = 0x123ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 464 start_va = 0x1240000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Region: id = 465 start_va = 0x1250000 end_va = 0x125ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001250000" filename = "" Region: id = 466 start_va = 0x1260000 end_va = 0x126ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Region: id = 467 start_va = 0x1270000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 468 start_va = 0x1280000 end_va = 0x128ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001280000" filename = "" Region: id = 469 start_va = 0x1290000 end_va = 0x129ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001290000" filename = "" Region: id = 470 start_va = 0x12a0000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 471 start_va = 0x12b0000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 472 start_va = 0x12c0000 end_va = 0x12c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 473 start_va = 0x12d0000 end_va = 0x12dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 474 start_va = 0x12e0000 end_va = 0x135ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 475 start_va = 0x1360000 end_va = 0x136ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001360000" filename = "" Region: id = 476 start_va = 0x1370000 end_va = 0x137ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001370000" filename = "" Region: id = 477 start_va = 0x1380000 end_va = 0x138ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001380000" filename = "" Region: id = 478 start_va = 0x1390000 end_va = 0x139ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001390000" filename = "" Region: id = 479 start_va = 0x13a0000 end_va = 0x13affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013a0000" filename = "" Region: id = 480 start_va = 0x13b0000 end_va = 0x13bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013b0000" filename = "" Region: id = 481 start_va = 0x13c0000 end_va = 0x13cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 482 start_va = 0x13d0000 end_va = 0x144ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 483 start_va = 0x1450000 end_va = 0x145ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 484 start_va = 0x1460000 end_va = 0x14dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 485 start_va = 0x14e0000 end_va = 0x155ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 486 start_va = 0x1560000 end_va = 0x156ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 487 start_va = 0x1570000 end_va = 0x157ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 488 start_va = 0x1580000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 489 start_va = 0x1600000 end_va = 0x1607fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 490 start_va = 0x1610000 end_va = 0x161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 491 start_va = 0x1630000 end_va = 0x16affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 492 start_va = 0x16b0000 end_va = 0x172ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 493 start_va = 0x1750000 end_va = 0x175ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001750000" filename = "" Region: id = 494 start_va = 0x1770000 end_va = 0x17effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001770000" filename = "" Region: id = 495 start_va = 0x1830000 end_va = 0x18affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001830000" filename = "" Region: id = 496 start_va = 0x18c0000 end_va = 0x193ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 497 start_va = 0x1960000 end_va = 0x19dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 498 start_va = 0x19e0000 end_va = 0x1a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Region: id = 499 start_va = 0x1a60000 end_va = 0x1b1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 500 start_va = 0x1b50000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b50000" filename = "" Region: id = 501 start_va = 0x1bd0000 end_va = 0x1c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 502 start_va = 0x1c50000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 503 start_va = 0x1cd0000 end_va = 0x1d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 504 start_va = 0x1d60000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 505 start_va = 0x1e60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 506 start_va = 0x1f90000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 507 start_va = 0x2080000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 508 start_va = 0x2130000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 509 start_va = 0x21f0000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 510 start_va = 0x2270000 end_va = 0x22effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 511 start_va = 0x22f0000 end_va = 0x236ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 512 start_va = 0x23b0000 end_va = 0x23bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 513 start_va = 0x23c0000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 514 start_va = 0x2450000 end_va = 0x24cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 515 start_va = 0x24d0000 end_va = 0x250ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000024d0000" filename = "" Region: id = 516 start_va = 0x2510000 end_va = 0x254ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002510000" filename = "" Region: id = 517 start_va = 0x2560000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 518 start_va = 0x25e0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 519 start_va = 0x2730000 end_va = 0x27affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 520 start_va = 0x27c0000 end_va = 0x27cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 521 start_va = 0x27d0000 end_va = 0x28cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 522 start_va = 0x2910000 end_va = 0x298ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 523 start_va = 0x29b0000 end_va = 0x2a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 524 start_va = 0x2a50000 end_va = 0x2b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 525 start_va = 0x2b90000 end_va = 0x2c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 526 start_va = 0x2cd0000 end_va = 0x2d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 527 start_va = 0x2d50000 end_va = 0x2dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 528 start_va = 0x2de0000 end_va = 0x2e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 529 start_va = 0x2ec0000 end_va = 0x2f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 530 start_va = 0x2f70000 end_va = 0x2feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 531 start_va = 0x2ff0000 end_va = 0x306ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 532 start_va = 0x3090000 end_va = 0x310ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 533 start_va = 0x3110000 end_va = 0x330ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 534 start_va = 0x3310000 end_va = 0x338ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003310000" filename = "" Region: id = 535 start_va = 0x33a0000 end_va = 0x341ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 536 start_va = 0x3430000 end_va = 0x34affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 537 start_va = 0x34c0000 end_va = 0x353ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 538 start_va = 0x3540000 end_va = 0x35bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 539 start_va = 0x35c0000 end_va = 0x363ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 540 start_va = 0x3640000 end_va = 0x373ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 541 start_va = 0x3740000 end_va = 0x37bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 542 start_va = 0x3810000 end_va = 0x388ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003810000" filename = "" Region: id = 543 start_va = 0x3910000 end_va = 0x398ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003910000" filename = "" Region: id = 544 start_va = 0x3a30000 end_va = 0x3b2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a30000" filename = "" Region: id = 545 start_va = 0x3b30000 end_va = 0x3baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b30000" filename = "" Region: id = 546 start_va = 0x3bb0000 end_va = 0x3faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bb0000" filename = "" Region: id = 547 start_va = 0x4080000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 548 start_va = 0x4130000 end_va = 0x41affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 549 start_va = 0x4200000 end_va = 0x427ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 550 start_va = 0x42c0000 end_va = 0x433ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042c0000" filename = "" Region: id = 551 start_va = 0x43c0000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043c0000" filename = "" Region: id = 552 start_va = 0x4460000 end_va = 0x446ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004460000" filename = "" Region: id = 553 start_va = 0x4470000 end_va = 0x466ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004470000" filename = "" Region: id = 554 start_va = 0x4670000 end_va = 0x476ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 555 start_va = 0x4770000 end_va = 0x486ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004770000" filename = "" Region: id = 556 start_va = 0x4870000 end_va = 0x496ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004870000" filename = "" Region: id = 557 start_va = 0x4970000 end_va = 0x4a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004970000" filename = "" Region: id = 558 start_va = 0x4a90000 end_va = 0x4b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a90000" filename = "" Region: id = 559 start_va = 0x4b10000 end_va = 0x4c0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b10000" filename = "" Region: id = 560 start_va = 0x4c10000 end_va = 0x4d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c10000" filename = "" Region: id = 561 start_va = 0x4d10000 end_va = 0x5d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d10000" filename = "" Region: id = 562 start_va = 0x5e00000 end_va = 0x5e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e00000" filename = "" Region: id = 563 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 564 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 565 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 566 start_va = 0x779d0000 end_va = 0x779d6fff monitored = 0 entry_point = 0x779d106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 567 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 568 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 569 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 570 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 571 start_va = 0x7fef05c0000 end_va = 0x7fef0812fff monitored = 0 entry_point = 0x7fef05c236c region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 572 start_va = 0x7fef14c0000 end_va = 0x7fef14cefff monitored = 0 entry_point = 0x7fef14c9a48 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 573 start_va = 0x7fef1f50000 end_va = 0x7fef1f94fff monitored = 0 entry_point = 0x7fef1f83644 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 574 start_va = 0x7fef2300000 end_va = 0x7fef2311fff monitored = 0 entry_point = 0x7fef23090bc region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 575 start_va = 0x7fef26d0000 end_va = 0x7fef27a1fff monitored = 0 entry_point = 0x7fef2761a10 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 576 start_va = 0x7fef27b0000 end_va = 0x7fef2a29fff monitored = 0 entry_point = 0x7fef27e2200 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 577 start_va = 0x7fef2ab0000 end_va = 0x7fef2ab9fff monitored = 0 entry_point = 0x7fef2ab3994 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 578 start_va = 0x7fef4120000 end_va = 0x7fef413bfff monitored = 0 entry_point = 0x7fef41211a0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 579 start_va = 0x7fef4140000 end_va = 0x7fef41a1fff monitored = 0 entry_point = 0x7fef4141198 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 580 start_va = 0x7fef41b0000 end_va = 0x7fef41e9fff monitored = 0 entry_point = 0x7fef41b1010 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 581 start_va = 0x7fef4890000 end_va = 0x7fef4900fff monitored = 0 entry_point = 0x7fef48cecc4 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 582 start_va = 0x7fef4990000 end_va = 0x7fef49acfff monitored = 0 entry_point = 0x7fef4992f18 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 583 start_va = 0x7fef49c0000 end_va = 0x7fef49d4fff monitored = 0 entry_point = 0x7fef49c1020 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 584 start_va = 0x7fef4bf0000 end_va = 0x7fef4bfbfff monitored = 0 entry_point = 0x7fef4bf602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 585 start_va = 0x7fef4e30000 end_va = 0x7fef4ea0fff monitored = 0 entry_point = 0x7fef4e751d0 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 586 start_va = 0x7fef4eb0000 end_va = 0x7fef4ec1fff monitored = 0 entry_point = 0x7fef4eb89d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 587 start_va = 0x7fef4ed0000 end_va = 0x7fef4f84fff monitored = 0 entry_point = 0x7fef4f4cf80 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 588 start_va = 0x7fef4f90000 end_va = 0x7fef4f97fff monitored = 0 entry_point = 0x7fef4f91414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 589 start_va = 0x7fef4fa0000 end_va = 0x7fef4ff9fff monitored = 0 entry_point = 0x7fef4fddde0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 590 start_va = 0x7fef5000000 end_va = 0x7fef5020fff monitored = 0 entry_point = 0x7fef50103b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 591 start_va = 0x7fef5030000 end_va = 0x7fef509afff monitored = 0 entry_point = 0x7fef5074344 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 592 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 593 start_va = 0x7fef50c0000 end_va = 0x7fef5121fff monitored = 0 entry_point = 0x7fef50fbd80 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 594 start_va = 0x7fef5130000 end_va = 0x7fef525bfff monitored = 0 entry_point = 0x7fef51e0ef0 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 595 start_va = 0x7fef5260000 end_va = 0x7fef5279fff monitored = 0 entry_point = 0x7fef5273fbc region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 596 start_va = 0x7fef5280000 end_va = 0x7fef5303fff monitored = 0 entry_point = 0x7fef52d1118 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 597 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 598 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 599 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 600 start_va = 0x7fef5470000 end_va = 0x7fef5488fff monitored = 0 entry_point = 0x7fef5471104 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 601 start_va = 0x7fef5490000 end_va = 0x7fef54dffff monitored = 0 entry_point = 0x7fef5491190 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 602 start_va = 0x7fef54e0000 end_va = 0x7fef54e7fff monitored = 0 entry_point = 0x7fef54e1020 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 603 start_va = 0x7fef54f0000 end_va = 0x7fef5514fff monitored = 0 entry_point = 0x7fef5508c54 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 604 start_va = 0x7fef5520000 end_va = 0x7fef555cfff monitored = 0 entry_point = 0x7fef5521070 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 605 start_va = 0x7fef5560000 end_va = 0x7fef55a6fff monitored = 0 entry_point = 0x7fef5561040 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 606 start_va = 0x7fef55b0000 end_va = 0x7fef55f1fff monitored = 0 entry_point = 0x7fef55b17e4 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 607 start_va = 0x7fef5600000 end_va = 0x7fef5610fff monitored = 0 entry_point = 0x7fef56014c0 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 608 start_va = 0x7fef5620000 end_va = 0x7fef56b1fff monitored = 0 entry_point = 0x7fef56951ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 609 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 610 start_va = 0x7fef5740000 end_va = 0x7fef5779fff monitored = 0 entry_point = 0x7fef575d020 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 611 start_va = 0x7fef5960000 end_va = 0x7fef5970fff monitored = 0 entry_point = 0x7fef5969e7c region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 612 start_va = 0x7fef5a10000 end_va = 0x7fef5a73fff monitored = 0 entry_point = 0x7fef5a11254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 613 start_va = 0x7fef5a80000 end_va = 0x7fef5af0fff monitored = 0 entry_point = 0x7fef5a81010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 614 start_va = 0x7fef5b90000 end_va = 0x7fef5ba6fff monitored = 0 entry_point = 0x7fef5b91060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 615 start_va = 0x7fef5bb0000 end_va = 0x7fef5d5ffff monitored = 0 entry_point = 0x7fef5bb1010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 616 start_va = 0x7fef6a50000 end_va = 0x7fef6ac3fff monitored = 0 entry_point = 0x7fef6a566f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 617 start_va = 0x7fef7f60000 end_va = 0x7fef7f7afff monitored = 0 entry_point = 0x7fef7f61198 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 618 start_va = 0x7fef8080000 end_va = 0x7fef8088fff monitored = 0 entry_point = 0x7fef80811a0 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 619 start_va = 0x7fef8d20000 end_va = 0x7fef8d96fff monitored = 0 entry_point = 0x7fef8d2afd0 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 620 start_va = 0x7fef8df0000 end_va = 0x7fef8eddfff monitored = 0 entry_point = 0x7fef8df12a0 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 621 start_va = 0x7fef8ee0000 end_va = 0x7fef8ee9fff monitored = 0 entry_point = 0x7fef8ee260c region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 622 start_va = 0x7fef8ef0000 end_va = 0x7fef9001fff monitored = 0 entry_point = 0x7fef8f0f354 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 623 start_va = 0x7fef9010000 end_va = 0x7fef901efff monitored = 0 entry_point = 0x7fef9017e80 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 624 start_va = 0x7fef9020000 end_va = 0x7fef9028fff monitored = 0 entry_point = 0x7fef9023668 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 625 start_va = 0x7fef9030000 end_va = 0x7fef9038fff monitored = 0 entry_point = 0x7fef9031020 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 626 start_va = 0x7fef9040000 end_va = 0x7fef9095fff monitored = 0 entry_point = 0x7fef9041040 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 627 start_va = 0x7fef90a0000 end_va = 0x7fef90fdfff monitored = 0 entry_point = 0x7fef90a9024 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 628 start_va = 0x7fef9100000 end_va = 0x7fef9117fff monitored = 0 entry_point = 0x7fef9101bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 629 start_va = 0x7fef9120000 end_va = 0x7fef9130fff monitored = 0 entry_point = 0x7fef91216ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 630 start_va = 0x7fef9150000 end_va = 0x7fef91a2fff monitored = 0 entry_point = 0x7fef9152b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 631 start_va = 0x7fef96f0000 end_va = 0x7fef9706fff monitored = 0 entry_point = 0x7fef96f9d50 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 632 start_va = 0x7fef98b0000 end_va = 0x7fef98f1fff monitored = 0 entry_point = 0x7fef98e0048 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 633 start_va = 0x7fef9900000 end_va = 0x7fef9919fff monitored = 0 entry_point = 0x7fef9911ae4 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 634 start_va = 0x7fef9940000 end_va = 0x7fef994efff monitored = 0 entry_point = 0x7fef9946894 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 635 start_va = 0x7fefb210000 end_va = 0x7fefb223fff monitored = 0 entry_point = 0x7fefb213e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 636 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 637 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 638 start_va = 0x7fefb270000 end_va = 0x7fefb2d6fff monitored = 0 entry_point = 0x7fefb286060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 639 start_va = 0x7fefb2f0000 end_va = 0x7fefb2fafff monitored = 0 entry_point = 0x7fefb2f4f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 640 start_va = 0x7fefb300000 end_va = 0x7fefb30bfff monitored = 0 entry_point = 0x7fefb3015d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 641 start_va = 0x7fefb310000 end_va = 0x7fefb31ffff monitored = 0 entry_point = 0x7fefb31835c region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 642 start_va = 0x7fefb320000 end_va = 0x7fefb338fff monitored = 0 entry_point = 0x7fefb3211a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 643 start_va = 0x7fefb340000 end_va = 0x7fefb376fff monitored = 0 entry_point = 0x7fefb348424 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 644 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d4fff monitored = 0 entry_point = 0x7fefb3c60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 645 start_va = 0x7fefb3e0000 end_va = 0x7fefb4a1fff monitored = 0 entry_point = 0x7fefb3e101c region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 646 start_va = 0x7fefb6e0000 end_va = 0x7fefb6e8fff monitored = 0 entry_point = 0x7fefb6e1010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 647 start_va = 0x7fefb920000 end_va = 0x7fefb933fff monitored = 0 entry_point = 0x7fefb9216b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 648 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 649 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 650 start_va = 0x7fefb970000 end_va = 0x7fefb985fff monitored = 0 entry_point = 0x7fefb9711a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 651 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 652 start_va = 0x7fefbc00000 end_va = 0x7fefbc34fff monitored = 0 entry_point = 0x7fefbc01064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 653 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 654 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 655 start_va = 0x7fefc200000 end_va = 0x7fefc21cfff monitored = 0 entry_point = 0x7fefc201ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 656 start_va = 0x7fefc250000 end_va = 0x7fefc443fff monitored = 0 entry_point = 0x7fefc3dc924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 657 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 658 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 659 start_va = 0x7fefc920000 end_va = 0x7fefc9dafff monitored = 0 entry_point = 0x7fefc926de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 660 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 661 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 662 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 663 start_va = 0x7fefcb10000 end_va = 0x7fefcb21fff monitored = 0 entry_point = 0x7fefcb11060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 664 start_va = 0x7fefcb30000 end_va = 0x7fefcb4efff monitored = 0 entry_point = 0x7fefcb35c68 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 665 start_va = 0x7fefcc00000 end_va = 0x7fefcc38fff monitored = 0 entry_point = 0x7fefcc0c0f0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 666 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 667 start_va = 0x7fefcc50000 end_va = 0x7fefcc5cfff monitored = 0 entry_point = 0x7fefcc51348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 668 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 669 start_va = 0x7fefce30000 end_va = 0x7fefce5ffff monitored = 0 entry_point = 0x7fefce3194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 670 start_va = 0x7fefce60000 end_va = 0x7fefcebafff monitored = 0 entry_point = 0x7fefce66940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 671 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 672 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 673 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 674 start_va = 0x7fefd150000 end_va = 0x7fefd181fff monitored = 0 entry_point = 0x7fefd15144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 675 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 676 start_va = 0x7fefd210000 end_va = 0x7fefd23efff monitored = 0 entry_point = 0x7fefd211064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 677 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 678 start_va = 0x7fefd2c0000 end_va = 0x7fefd2d3fff monitored = 0 entry_point = 0x7fefd2c4160 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 679 start_va = 0x7fefd520000 end_va = 0x7fefd527fff monitored = 0 entry_point = 0x7fefd522a6c region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 680 start_va = 0x7fefd530000 end_va = 0x7fefd539fff monitored = 0 entry_point = 0x7fefd533b40 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 681 start_va = 0x7fefd540000 end_va = 0x7fefd562fff monitored = 0 entry_point = 0x7fefd541198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 682 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 683 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 684 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 685 start_va = 0x7fefd650000 end_va = 0x7fefd6e0fff monitored = 0 entry_point = 0x7fefd651440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 686 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 687 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 688 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 689 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 690 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 691 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 692 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 693 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 694 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 695 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 696 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 697 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 698 start_va = 0x7fefdee0000 end_va = 0x7fefec67fff monitored = 0 entry_point = 0x7fefdf5cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 699 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 700 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 701 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 702 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 703 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 704 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 705 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 706 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 707 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 708 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 709 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 710 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 711 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 712 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 713 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 714 start_va = 0x7fffff50000 end_va = 0x7fffff51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff50000" filename = "" Region: id = 715 start_va = 0x7fffff52000 end_va = 0x7fffff53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff52000" filename = "" Region: id = 716 start_va = 0x7fffff54000 end_va = 0x7fffff55fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff54000" filename = "" Region: id = 717 start_va = 0x7fffff56000 end_va = 0x7fffff57fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff56000" filename = "" Region: id = 718 start_va = 0x7fffff58000 end_va = 0x7fffff59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff58000" filename = "" Region: id = 719 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 720 start_va = 0x7fffff5c000 end_va = 0x7fffff5dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5c000" filename = "" Region: id = 721 start_va = 0x7fffff5e000 end_va = 0x7fffff5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5e000" filename = "" Region: id = 722 start_va = 0x7fffff60000 end_va = 0x7fffff61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff60000" filename = "" Region: id = 723 start_va = 0x7fffff62000 end_va = 0x7fffff63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff62000" filename = "" Region: id = 724 start_va = 0x7fffff64000 end_va = 0x7fffff65fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff64000" filename = "" Region: id = 725 start_va = 0x7fffff66000 end_va = 0x7fffff67fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 726 start_va = 0x7fffff68000 end_va = 0x7fffff69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 727 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 728 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 729 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 730 start_va = 0x7fffff70000 end_va = 0x7fffff71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 731 start_va = 0x7fffff72000 end_va = 0x7fffff73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 732 start_va = 0x7fffff78000 end_va = 0x7fffff79fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 733 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 734 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 735 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 736 start_va = 0x7fffff80000 end_va = 0x7fffff81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 737 start_va = 0x7fffff82000 end_va = 0x7fffff83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 738 start_va = 0x7fffff84000 end_va = 0x7fffff85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 739 start_va = 0x7fffff86000 end_va = 0x7fffff87fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 740 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 741 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 742 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 743 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 744 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 745 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 746 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 747 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 748 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 749 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 750 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 751 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 752 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 753 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 754 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 755 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 756 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 757 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 758 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 759 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 760 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 761 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 762 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 763 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 764 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 765 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 766 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1216 start_va = 0x2c60000 end_va = 0x2cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 1217 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1713 start_va = 0xff0000 end_va = 0xff1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 2920 start_va = 0x960000 end_va = 0x96ffff monitored = 0 entry_point = 0x963e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 2921 start_va = 0x970000 end_va = 0x973fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 2924 start_va = 0x5d40000 end_va = 0x5dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d40000" filename = "" Region: id = 2925 start_va = 0x7fefb150000 end_va = 0x7fefb164fff monitored = 0 entry_point = 0x7fefb151010 region_type = mapped_file name = "aelupsvc.dll" filename = "\\Windows\\System32\\aelupsvc.dll" (normalized: "c:\\windows\\system32\\aelupsvc.dll") Region: id = 2926 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2927 start_va = 0x5e80000 end_va = 0x600ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e80000" filename = "" Region: id = 2928 start_va = 0x2c10000 end_va = 0x2d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c10000" filename = "" Region: id = 2929 start_va = 0x3ff0000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ff0000" filename = "" Region: id = 2930 start_va = 0x4340000 end_va = 0x43bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 2931 start_va = 0x7fffff76000 end_va = 0x7fffff77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 2932 start_va = 0x7fffff88000 end_va = 0x7fffff89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 2933 start_va = 0x7fef40e0000 end_va = 0x7fef411efff monitored = 0 entry_point = 0x7fef40e12c0 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 3127 start_va = 0x7fefab40000 end_va = 0x7fefad13fff monitored = 0 entry_point = 0x7fefab76b00 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 3128 start_va = 0x5e80000 end_va = 0x5feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e80000" filename = "" Region: id = 3129 start_va = 0x6000000 end_va = 0x600ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006000000" filename = "" Region: id = 3130 start_va = 0x5d10000 end_va = 0x5dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d10000" filename = "" Region: id = 3131 start_va = 0x3990000 end_va = 0x3a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003990000" filename = "" Region: id = 3132 start_va = 0x6010000 end_va = 0x640ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006010000" filename = "" Region: id = 3133 start_va = 0x960000 end_va = 0x960fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 3134 start_va = 0x970000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 3135 start_va = 0x7fef89f0000 end_va = 0x7fef8a6bfff monitored = 0 entry_point = 0x7fef89f11d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 3136 start_va = 0x6410000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006410000" filename = "" Region: id = 3137 start_va = 0xff0000 end_va = 0xff2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 3138 start_va = 0x5ec0000 end_va = 0x5f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ec0000" filename = "" Region: id = 3139 start_va = 0x5f70000 end_va = 0x5feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f70000" filename = "" Region: id = 3140 start_va = 0x6600000 end_va = 0x667ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 3141 start_va = 0x66d0000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066d0000" filename = "" Region: id = 3142 start_va = 0x6840000 end_va = 0x68bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006840000" filename = "" Region: id = 3143 start_va = 0x7fffff4e000 end_va = 0x7fffff4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff4e000" filename = "" Region: id = 3144 start_va = 0x7fffff74000 end_va = 0x7fffff75fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 3145 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3146 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3148 start_va = 0x6530000 end_va = 0x65d9fff monitored = 0 entry_point = 0x6534104 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 3149 start_va = 0x1000000 end_va = 0x100cfff monitored = 0 entry_point = 0x100a138 region_type = mapped_file name = "wuauclt.exe" filename = "\\Windows\\System32\\wuauclt.exe" (normalized: "c:\\windows\\system32\\wuauclt.exe") Region: id = 3150 start_va = 0x68c0000 end_va = 0x6b0efff monitored = 0 entry_point = 0x68c236c region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 3151 start_va = 0x1000000 end_va = 0x1007fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3152 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3153 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Thread: id = 8 os_tid = 0xa54 Thread: id = 9 os_tid = 0xa50 Thread: id = 10 os_tid = 0x8c4 Thread: id = 11 os_tid = 0x8c0 Thread: id = 12 os_tid = 0x9f0 Thread: id = 13 os_tid = 0x898 Thread: id = 14 os_tid = 0x8a4 Thread: id = 15 os_tid = 0x894 Thread: id = 16 os_tid = 0x890 Thread: id = 17 os_tid = 0x23c Thread: id = 18 os_tid = 0x180 Thread: id = 19 os_tid = 0x770 Thread: id = 20 os_tid = 0x7dc Thread: id = 21 os_tid = 0x5bc Thread: id = 22 os_tid = 0x62c Thread: id = 23 os_tid = 0x230 Thread: id = 24 os_tid = 0x124 Thread: id = 25 os_tid = 0x7d8 Thread: id = 26 os_tid = 0x118 Thread: id = 27 os_tid = 0x2a0 Thread: id = 28 os_tid = 0xc4 Thread: id = 29 os_tid = 0x35c Thread: id = 30 os_tid = 0x710 Thread: id = 31 os_tid = 0x478 Thread: id = 32 os_tid = 0x444 Thread: id = 33 os_tid = 0x440 Thread: id = 34 os_tid = 0x76c Thread: id = 35 os_tid = 0x748 Thread: id = 36 os_tid = 0x730 Thread: id = 37 os_tid = 0x724 Thread: id = 38 os_tid = 0x718 Thread: id = 39 os_tid = 0x6fc Thread: id = 40 os_tid = 0x6e8 Thread: id = 41 os_tid = 0x6e0 Thread: id = 42 os_tid = 0x6c0 Thread: id = 43 os_tid = 0x6ac Thread: id = 44 os_tid = 0x694 Thread: id = 45 os_tid = 0x4b0 Thread: id = 46 os_tid = 0x4ac Thread: id = 47 os_tid = 0x49c Thread: id = 48 os_tid = 0x498 Thread: id = 49 os_tid = 0x48c Thread: id = 50 os_tid = 0x1bc Thread: id = 51 os_tid = 0x120 Thread: id = 52 os_tid = 0x3f0 Thread: id = 53 os_tid = 0x3e4 Thread: id = 54 os_tid = 0x3d8 Thread: id = 55 os_tid = 0x380 Thread: id = 56 os_tid = 0x37c Thread: id = 57 os_tid = 0x378 Thread: id = 58 os_tid = 0x36c Thread: id = 59 os_tid = 0x364 Thread: id = 60 os_tid = 0x924 Thread: id = 142 os_tid = 0x77c Thread: id = 143 os_tid = 0x8fc Thread: id = 144 os_tid = 0x90c Thread: id = 167 os_tid = 0xa0c Thread: id = 168 os_tid = 0xacc Thread: id = 169 os_tid = 0xb50 Thread: id = 170 os_tid = 0x924 Thread: id = 171 os_tid = 0x5c4 Thread: id = 172 os_tid = 0x7b4 Process: id = "3" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x4441e000" os_pid = "0xa04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xae4" cmd_line = "wmic.exe SHADOWCOPY /nointeractive" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1575 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1576 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1577 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1578 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1579 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1580 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1581 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1582 start_va = 0xee0000 end_va = 0xf42fff monitored = 1 entry_point = 0xf1d81a region_type = mapped_file name = "wmic.exe" filename = "\\Windows\\SysWOW64\\wbem\\WMIC.exe" (normalized: "c:\\windows\\syswow64\\wbem\\wmic.exe") Region: id = 1583 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1584 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1585 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1586 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1587 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1588 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1589 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1590 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1591 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1592 start_va = 0x1f0000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1593 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1594 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1595 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1596 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1597 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1598 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1599 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 1600 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1601 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 1602 start_va = 0x270000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1603 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1604 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1605 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1606 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1607 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1608 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1609 start_va = 0xf0000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1610 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1611 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1612 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1613 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1614 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1615 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1616 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1617 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1618 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1619 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1620 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1621 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1622 start_va = 0x72b70000 end_va = 0x72ba4fff monitored = 0 entry_point = 0x72b8ee80 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 1623 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1624 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1625 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1626 start_va = 0x72c10000 end_va = 0x72c17fff monitored = 0 entry_point = 0x72c110e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 1627 start_va = 0x74540000 end_va = 0x7455bfff monitored = 0 entry_point = 0x7454a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1628 start_va = 0x74530000 end_va = 0x74536fff monitored = 0 entry_point = 0x7453128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1629 start_va = 0x270000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1630 start_va = 0x370000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1631 start_va = 0x160000 end_va = 0x17dfff monitored = 0 entry_point = 0x17158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1632 start_va = 0x470000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1633 start_va = 0x160000 end_va = 0x17dfff monitored = 0 entry_point = 0x17158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1634 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1635 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1636 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 1637 start_va = 0xf50000 end_va = 0x234ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 1638 start_va = 0x30000 end_va = 0x3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmic.exe.mui" filename = "\\Windows\\SysWOW64\\wbem\\en-US\\WMIC.exe.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmic.exe.mui") Region: id = 1639 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1640 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1641 start_va = 0x1a0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1642 start_va = 0x2d0000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 1643 start_va = 0x320000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 1644 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1645 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1646 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1647 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1648 start_va = 0x72b60000 end_va = 0x72b6afff monitored = 0 entry_point = 0x72b652a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1649 start_va = 0x72af0000 end_va = 0x72b50fff monitored = 0 entry_point = 0x72b2bf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\SysWOW64\\wbemcomn2.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn2.dll") Region: id = 1650 start_va = 0x75300000 end_va = 0x75316fff monitored = 0 entry_point = 0x753035fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1651 start_va = 0x790000 end_va = 0xa5efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1652 start_va = 0x72cb0000 end_va = 0x72de2fff monitored = 0 entry_point = 0x72cb145e region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll") Region: id = 1653 start_va = 0xa60000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 1654 start_va = 0xbd0000 end_va = 0xd9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 1655 start_va = 0xbd0000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 1656 start_va = 0xd60000 end_va = 0xd9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 1657 start_va = 0x2350000 end_va = 0x24affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 1658 start_va = 0x24b0000 end_va = 0x263ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 1659 start_va = 0x270000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1660 start_va = 0x2640000 end_va = 0x280ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1661 start_va = 0xa60000 end_va = 0xb1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1662 start_va = 0xb90000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 1663 start_va = 0x2810000 end_va = 0x2c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 1664 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\SysWOW64\\msxml3r.dll" (normalized: "c:\\windows\\syswow64\\msxml3r.dll") Region: id = 1665 start_va = 0x270000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1666 start_va = 0x290000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1667 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1668 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 1669 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1670 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1671 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1672 start_va = 0xbd0000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 1673 start_va = 0xd00000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 1674 start_va = 0x310000 end_va = 0x311fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 1675 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 1676 start_va = 0x330000 end_va = 0x330fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1677 start_va = 0x340000 end_va = 0x341fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1678 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1679 start_va = 0x330000 end_va = 0x330fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1680 start_va = 0x745e0000 end_va = 0x745eafff monitored = 0 entry_point = 0x745e1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1681 start_va = 0x350000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 1682 start_va = 0x360000 end_va = 0x367fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 1683 start_va = 0xb20000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 1684 start_va = 0x74560000 end_va = 0x745a3fff monitored = 0 entry_point = 0x745763f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 1685 start_va = 0x2c10000 end_va = 0x2daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c10000" filename = "" Region: id = 1686 start_va = 0x743f0000 end_va = 0x7446ffff monitored = 0 entry_point = 0x744037c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1687 start_va = 0xda0000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1688 start_va = 0xda0000 end_va = 0xe7efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 1689 start_va = 0xea0000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 1690 start_va = 0x23e0000 end_va = 0x241ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 1691 start_va = 0x2420000 end_va = 0x245ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 1692 start_va = 0x2470000 end_va = 0x24affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 1693 start_va = 0x742b0000 end_va = 0x742c6fff monitored = 0 entry_point = 0x742b3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1694 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1695 start_va = 0xb30000 end_va = 0xb6bfff monitored = 0 entry_point = 0xb3128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1696 start_va = 0xb30000 end_va = 0xb6bfff monitored = 0 entry_point = 0xb3128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1697 start_va = 0xb30000 end_va = 0xb6bfff monitored = 0 entry_point = 0xb3128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1698 start_va = 0xb30000 end_va = 0xb6bfff monitored = 0 entry_point = 0xb3128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1699 start_va = 0xb30000 end_va = 0xb6bfff monitored = 0 entry_point = 0xb3128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1700 start_va = 0x74270000 end_va = 0x742aafff monitored = 0 entry_point = 0x7427128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1701 start_va = 0x743e0000 end_va = 0x743edfff monitored = 0 entry_point = 0x743e1235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 1702 start_va = 0x2360000 end_va = 0x239ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002360000" filename = "" Region: id = 1703 start_va = 0x24d0000 end_va = 0x250ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 1704 start_va = 0x2550000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 1705 start_va = 0x2600000 end_va = 0x263ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 1706 start_va = 0x2670000 end_va = 0x26affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002670000" filename = "" Region: id = 1707 start_va = 0x27d0000 end_va = 0x280ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 1708 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1709 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1710 start_va = 0x72ae0000 end_va = 0x72aeefff monitored = 0 entry_point = 0x72ae93d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1711 start_va = 0x72a30000 end_va = 0x72ad5fff monitored = 0 entry_point = 0x72a9a2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1712 start_va = 0x72a10000 end_va = 0x72a27fff monitored = 0 entry_point = 0x72a11335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 1714 start_va = 0xb30000 end_va = 0xb3cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Thread: id = 61 os_tid = 0xa78 [0093.795] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfd14 | out: lpSystemTimeAsFileTime=0xcfd14*(dwLowDateTime=0x51b3ad60, dwHighDateTime=0x1d7fb45)) [0093.795] GetCurrentProcessId () returned 0xa04 [0093.795] GetCurrentThreadId () returned 0xa78 [0093.795] GetTickCount () returned 0xec2dd7 [0093.795] QueryPerformanceCounter (in: lpPerformanceCount=0xcfd0c | out: lpPerformanceCount=0xcfd0c*=1563709839788) returned 1 [0093.795] GetModuleHandleA (lpModuleName=0x0) returned 0xee0000 [0093.795] __set_app_type (_Type=0x1) [0093.795] __p__fmode () returned 0x76d631f4 [0093.795] __p__commode () returned 0x76d631fc [0093.795] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf1dc15) returned 0x0 [0093.796] __wgetmainargs (in: _Argc=0xf2c5e8, _Argv=0xf2c5f0, _Env=0xf2c5ec, _DoWildCard=0, _StartInfo=0xf2c5fc | out: _Argc=0xf2c5e8, _Argv=0xf2c5f0, _Env=0xf2c5ec) returned 0 [0093.802] ??0CHString@@QAE@XZ () returned 0xf2c28c [0093.802] malloc (_Size=0x18) returned 0x3213b8 [0093.803] malloc (_Size=0x38) returned 0x323d68 [0093.803] malloc (_Size=0x28) returned 0x3213d8 [0093.803] malloc (_Size=0x18) returned 0x323da8 [0093.803] malloc (_Size=0x24) returned 0x323dc8 [0093.804] malloc (_Size=0x18) returned 0x323df8 [0093.804] malloc (_Size=0x18) returned 0x323e18 [0093.804] ??0CHString@@QAE@XZ () returned 0xf2c594 [0093.804] malloc (_Size=0x18) returned 0x323e38 [0093.804] ?Empty@CHString@@QAEXXZ () returned 0x72b9d81c [0093.804] SetConsoleCtrlHandler (HandlerRoutine=0xf16b6f, Add=1) returned 1 [0093.804] _onexit (_Func=0xf22f1f) returned 0xf22f1f [0093.804] _onexit (_Func=0xf22f2e) returned 0xf22f2e [0093.804] _onexit (_Func=0xf22f42) returned 0xf22f42 [0093.805] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0093.805] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0093.806] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0093.815] CoCreateInstance (in: rclsid=0xee6c60*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xee6b90*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xf2c1b0 | out: ppv=0xf2c1b0*=0x390b20) returned 0x0 [0094.330] GetCurrentProcess () returned 0xffffffff [0094.330] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xcfbbc | out: TokenHandle=0xcfbbc*=0x11c) returned 1 [0094.330] GetTokenInformation (in: TokenHandle=0x11c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcfbb8 | out: TokenInformation=0x0, ReturnLength=0xcfbb8) returned 0 [0094.330] malloc (_Size=0x118) returned 0x322728 [0094.330] GetTokenInformation (in: TokenHandle=0x11c, TokenInformationClass=0x3, TokenInformation=0x322728, TokenInformationLength=0x118, ReturnLength=0xcfbb8 | out: TokenInformation=0x322728, ReturnLength=0xcfbb8) returned 1 [0094.330] AdjustTokenPrivileges (in: TokenHandle=0x11c, DisableAllPrivileges=0, NewState=0x322728*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0094.331] free (_Block=0x322728) [0094.331] CloseHandle (hObject=0x11c) returned 1 [0094.331] malloc (_Size=0x40) returned 0x323f68 [0094.331] malloc (_Size=0x40) returned 0x322728 [0094.331] malloc (_Size=0x40) returned 0x322770 [0094.331] malloc (_Size=0x20a) returned 0x3227b8 [0094.332] GetSystemDirectoryW (in: lpBuffer=0x3227b8, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.332] free (_Block=0x3227b8) [0094.333] malloc (_Size=0xc) returned 0x323fb0 [0094.333] malloc (_Size=0xc) returned 0x323fc8 [0094.333] malloc (_Size=0xc) returned 0x3227b8 [0094.333] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0094.333] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0094.333] free (_Block=0x323fb0) [0094.333] free (_Block=0x323fc8) [0094.333] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x769b0000 [0094.334] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadUILanguage") returned 0x769da827 [0094.335] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.335] FreeLibrary (hLibModule=0x769b0000) returned 1 [0094.335] free (_Block=0x3227b8) [0094.335] _vsnwprintf (in: _Buffer=0x322770, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xcfb18 | out: _Buffer="ms_409") returned 6 [0094.335] malloc (_Size=0x20) returned 0x323fb0 [0094.335] GetComputerNameW (in: lpBuffer=0x323fb0, nSize=0xcfb70 | out: lpBuffer="Q9IATRKPRH", nSize=0xcfb70) returned 1 [0094.336] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.336] malloc (_Size=0x16) returned 0x3227b8 [0094.336] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.336] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xcfbac | out: lpNameBuffer=0x0, nSize=0xcfbac) returned 0x0 [0094.338] GetLastError () returned 0xea [0094.338] malloc (_Size=0x2c) returned 0x3227d8 [0094.338] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3227d8, nSize=0xcfbac | out: lpNameBuffer="Q9IATRKPRH\\kEecfMwgj", nSize=0xcfbac) returned 0x1 [0094.338] lstrlenW (lpString="") returned 0 [0094.338] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.338] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="", cchCount2=0) returned 3 [0094.342] lstrlenW (lpString=".") returned 1 [0094.342] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.342] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2=".", cchCount2=1) returned 3 [0094.342] lstrlenW (lpString="LOCALHOST") returned 9 [0094.342] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.342] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="LOCALHOST", cchCount2=9) returned 3 [0094.342] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.342] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.342] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="Q9IATRKPRH", cchCount2=10) returned 2 [0094.342] free (_Block=0x3227b8) [0094.342] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.342] malloc (_Size=0x16) returned 0x3227b8 [0094.342] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.342] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.342] malloc (_Size=0x16) returned 0x322810 [0094.342] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0094.342] malloc (_Size=0x4) returned 0x323fd8 [0094.342] malloc (_Size=0xc) returned 0x322830 [0094.342] malloc (_Size=0x18) returned 0x322848 [0094.343] malloc (_Size=0xc) returned 0x322868 [0094.343] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.343] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.343] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.343] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.343] malloc (_Size=0x18) returned 0x322880 [0094.343] malloc (_Size=0xc) returned 0x3228a0 [0094.343] SysStringLen (param_1="IMPERSONATE") returned 0xb [0094.343] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.343] SysStringLen (param_1="IMPERSONATE") returned 0xb [0094.343] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.343] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.343] SysStringLen (param_1="IMPERSONATE") returned 0xb [0094.343] malloc (_Size=0x18) returned 0x3228b8 [0094.343] malloc (_Size=0xc) returned 0x3228d8 [0094.343] SysStringLen (param_1="DELEGATE") returned 0x8 [0094.343] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.343] SysStringLen (param_1="DELEGATE") returned 0x8 [0094.343] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.343] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.343] SysStringLen (param_1="DELEGATE") returned 0x8 [0094.343] malloc (_Size=0x18) returned 0x3228f0 [0094.344] malloc (_Size=0xc) returned 0x322910 [0094.344] malloc (_Size=0x18) returned 0x322928 [0094.344] malloc (_Size=0xc) returned 0x322948 [0094.344] SysStringLen (param_1="NONE") returned 0x4 [0094.344] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.344] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.344] SysStringLen (param_1="NONE") returned 0x4 [0094.344] malloc (_Size=0x18) returned 0x322960 [0094.344] malloc (_Size=0xc) returned 0x322980 [0094.344] SysStringLen (param_1="CONNECT") returned 0x7 [0094.344] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.344] malloc (_Size=0x18) returned 0x322998 [0094.344] malloc (_Size=0xc) returned 0x3229b8 [0094.345] SysStringLen (param_1="CALL") returned 0x4 [0094.345] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.345] SysStringLen (param_1="CALL") returned 0x4 [0094.345] SysStringLen (param_1="CONNECT") returned 0x7 [0094.345] malloc (_Size=0x18) returned 0x3229d0 [0094.345] malloc (_Size=0xc) returned 0x3229f0 [0094.345] SysStringLen (param_1="PKT") returned 0x3 [0094.345] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.345] SysStringLen (param_1="PKT") returned 0x3 [0094.345] SysStringLen (param_1="NONE") returned 0x4 [0094.345] SysStringLen (param_1="NONE") returned 0x4 [0094.345] SysStringLen (param_1="PKT") returned 0x3 [0094.346] malloc (_Size=0x18) returned 0x32e868 [0094.346] malloc (_Size=0xc) returned 0x322e08 [0094.346] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.346] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.346] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.346] SysStringLen (param_1="NONE") returned 0x4 [0094.346] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.346] SysStringLen (param_1="PKT") returned 0x3 [0094.346] SysStringLen (param_1="PKT") returned 0x3 [0094.346] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.346] malloc (_Size=0x18) returned 0x32e888 [0094.346] malloc (_Size=0xc) returned 0x322e20 [0094.346] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.346] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.346] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.346] SysStringLen (param_1="PKT") returned 0x3 [0094.346] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.346] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.346] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.346] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.346] malloc (_Size=0x18) returned 0x32e8a8 [0094.346] malloc (_Size=0x40) returned 0x322e38 [0094.346] malloc (_Size=0x20a) returned 0x322e80 [0094.346] GetSystemDirectoryW (in: lpBuffer=0x322e80, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.347] free (_Block=0x322e80) [0094.347] malloc (_Size=0xc) returned 0x322e80 [0094.347] malloc (_Size=0xc) returned 0x322e98 [0094.347] malloc (_Size=0xc) returned 0x322eb0 [0094.347] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0094.347] SysStringLen (param_1="\\wbem\\") returned 0x6 [0094.347] free (_Block=0x322e80) [0094.348] free (_Block=0x322e98) [0094.348] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0094.348] free (_Block=0x322eb0) [0094.348] malloc (_Size=0xc) returned 0x322e80 [0094.348] malloc (_Size=0xc) returned 0x322e98 [0094.348] malloc (_Size=0xc) returned 0x322eb0 [0094.348] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0094.348] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0094.348] free (_Block=0x322e80) [0094.348] free (_Block=0x322e98) [0094.348] GetCurrentThreadId () returned 0xa78 [0094.348] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xcf6c8 | out: phkResult=0xcf6c8*=0x120) returned 0x0 [0094.348] RegQueryValueExW (in: hKey=0x120, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xcf6d4, lpcbData=0xcf6d0*=0x400 | out: lpType=0x0, lpData=0xcf6d4*=0x30, lpcbData=0xcf6d0*=0x4) returned 0x0 [0094.348] _wcsicmp (_String1="0", _String2="1") returned -1 [0094.348] _wcsicmp (_String1="0", _String2="2") returned -2 [0094.349] RegQueryValueExW (in: hKey=0x120, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xcf6d0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xcf6d0*=0x42) returned 0x0 [0094.349] malloc (_Size=0x86) returned 0x322ec8 [0094.349] RegQueryValueExW (in: hKey=0x120, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x322ec8, lpcbData=0xcf6d0*=0x42 | out: lpType=0x0, lpData=0x322ec8*=0x25, lpcbData=0xcf6d0*=0x42) returned 0x0 [0094.349] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0094.349] malloc (_Size=0x42) returned 0x322f58 [0094.349] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0094.349] RegQueryValueExW (in: hKey=0x120, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xcf6d4, lpcbData=0xcf6d0*=0x400 | out: lpType=0x0, lpData=0xcf6d4*=0x36, lpcbData=0xcf6d0*=0xc) returned 0x0 [0094.349] _wtol (_String="65536") returned 65536 [0094.349] free (_Block=0x322ec8) [0094.349] RegCloseKey (hKey=0x0) returned 0x6 [0094.349] CoCreateInstance (in: rclsid=0xee6d40*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xee6d20*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xcfb64 | out: ppv=0xcfb64*=0xb94630) returned 0x0 [0094.692] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0xb94630, xmlSource=0xcfae8*(varType=0x8, wReserved1=0xffff, wReserved2=0x387a, wReserved3=0x77a1, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0xcfb4c | out: isSuccessful=0xcfb4c*=0xffff) returned 0x0 [0095.486] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0xb94630, DOMElement=0xcfb60 | out: DOMElement=0xcfb60*=0xb98c58) returned 0x0 [0095.487] malloc (_Size=0xc) returned 0x322e80 [0095.491] IXMLDOMElement:getElementsByTagName (in: This=0xb98c58, tagName="XSLFORMAT", resultList=0xcfb5c | out: resultList=0xcfb5c*=0xb98e80) returned 0x0 [0095.492] free (_Block=0x322e80) [0095.492] IXMLDOMNodeList:get_length (in: This=0xb98e80, listLength=0xcfb44 | out: listLength=0xcfb44*=21) returned 0x0 [0095.493] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=0, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.493] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="texttable.xsl") returned 0x0 [0095.493] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.493] malloc (_Size=0xc) returned 0x322e80 [0095.493] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.494] free (_Block=0x322e80) [0095.494] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0095.494] malloc (_Size=0xc) returned 0x322e80 [0095.494] malloc (_Size=0xc) returned 0x322e98 [0095.494] malloc (_Size=0x18) returned 0x32e8c8 [0095.495] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.495] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.495] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.495] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=1, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.495] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="textvaluelist.xsl") returned 0x0 [0095.495] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.495] malloc (_Size=0xc) returned 0x323140 [0095.495] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.495] free (_Block=0x323140) [0095.495] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0095.495] malloc (_Size=0xc) returned 0x323140 [0095.495] malloc (_Size=0xc) returned 0x323158 [0095.495] SysStringLen (param_1="VALUE") returned 0x5 [0095.495] SysStringLen (param_1="TABLE") returned 0x5 [0095.496] SysStringLen (param_1="TABLE") returned 0x5 [0095.496] SysStringLen (param_1="VALUE") returned 0x5 [0095.496] malloc (_Size=0x18) returned 0x32e8e8 [0095.496] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.496] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.496] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.496] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=2, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.496] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="textvaluelist.xsl") returned 0x0 [0095.496] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.496] malloc (_Size=0xc) returned 0x32f248 [0095.496] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.497] free (_Block=0x32f248) [0095.497] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="LIST", varVal2=0x0)) returned 0x0 [0095.497] malloc (_Size=0xc) returned 0x32f248 [0095.497] malloc (_Size=0xc) returned 0x32f260 [0095.497] SysStringLen (param_1="LIST") returned 0x4 [0095.497] SysStringLen (param_1="TABLE") returned 0x5 [0095.497] malloc (_Size=0x18) returned 0x32e908 [0095.497] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.497] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.497] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.497] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=3, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.497] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="rawxml.xsl") returned 0x0 [0095.497] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.498] malloc (_Size=0xc) returned 0x32f278 [0095.498] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.498] free (_Block=0x32f278) [0095.498] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0095.498] malloc (_Size=0xc) returned 0x32f278 [0095.498] malloc (_Size=0xc) returned 0x32f290 [0095.498] SysStringLen (param_1="RAWXML") returned 0x6 [0095.498] SysStringLen (param_1="TABLE") returned 0x5 [0095.498] SysStringLen (param_1="RAWXML") returned 0x6 [0095.498] SysStringLen (param_1="LIST") returned 0x4 [0095.498] SysStringLen (param_1="LIST") returned 0x4 [0095.498] SysStringLen (param_1="RAWXML") returned 0x6 [0095.498] malloc (_Size=0x18) returned 0x32e928 [0095.499] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.499] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.499] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.499] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=4, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.499] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="htable.xsl") returned 0x0 [0095.499] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.499] malloc (_Size=0xc) returned 0x32f2a8 [0095.499] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.499] free (_Block=0x32f2a8) [0095.499] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0095.499] malloc (_Size=0xc) returned 0x32f2a8 [0095.499] malloc (_Size=0xc) returned 0x32f2c0 [0095.499] SysStringLen (param_1="HTABLE") returned 0x6 [0095.500] SysStringLen (param_1="TABLE") returned 0x5 [0095.500] SysStringLen (param_1="HTABLE") returned 0x6 [0095.500] SysStringLen (param_1="LIST") returned 0x4 [0095.500] malloc (_Size=0x18) returned 0x32e948 [0095.500] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.500] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.500] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.500] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=5, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.500] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="hform.xsl") returned 0x0 [0095.500] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.500] malloc (_Size=0xc) returned 0x32f2d8 [0095.500] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.501] free (_Block=0x32f2d8) [0095.501] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0095.501] malloc (_Size=0xc) returned 0x32f2d8 [0095.501] malloc (_Size=0xc) returned 0x32f2f0 [0095.501] SysStringLen (param_1="HFORM") returned 0x5 [0095.501] SysStringLen (param_1="TABLE") returned 0x5 [0095.501] SysStringLen (param_1="HFORM") returned 0x5 [0095.501] SysStringLen (param_1="LIST") returned 0x4 [0095.501] SysStringLen (param_1="HFORM") returned 0x5 [0095.501] SysStringLen (param_1="HTABLE") returned 0x6 [0095.501] malloc (_Size=0x18) returned 0x32e968 [0095.502] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.502] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.502] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.502] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=6, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.502] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="xml.xsl") returned 0x0 [0095.502] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.502] malloc (_Size=0xc) returned 0x32f308 [0095.502] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.502] free (_Block=0x32f308) [0095.502] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="XML", varVal2=0x0)) returned 0x0 [0095.502] malloc (_Size=0xc) returned 0x32f308 [0095.502] malloc (_Size=0xc) returned 0x32f320 [0095.503] SysStringLen (param_1="XML") returned 0x3 [0095.503] SysStringLen (param_1="TABLE") returned 0x5 [0095.503] SysStringLen (param_1="XML") returned 0x3 [0095.503] SysStringLen (param_1="VALUE") returned 0x5 [0095.503] SysStringLen (param_1="VALUE") returned 0x5 [0095.503] SysStringLen (param_1="XML") returned 0x3 [0095.503] malloc (_Size=0x18) returned 0x32e988 [0095.503] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.503] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.503] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.503] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=7, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.503] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="mof.xsl") returned 0x0 [0095.503] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.503] malloc (_Size=0xc) returned 0x32f338 [0095.504] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.504] free (_Block=0x32f338) [0095.504] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="MOF", varVal2=0x0)) returned 0x0 [0095.504] malloc (_Size=0xc) returned 0x32f338 [0095.504] malloc (_Size=0xc) returned 0x32f350 [0095.504] SysStringLen (param_1="MOF") returned 0x3 [0095.504] SysStringLen (param_1="TABLE") returned 0x5 [0095.504] SysStringLen (param_1="MOF") returned 0x3 [0095.504] SysStringLen (param_1="LIST") returned 0x4 [0095.504] SysStringLen (param_1="MOF") returned 0x3 [0095.504] SysStringLen (param_1="RAWXML") returned 0x6 [0095.504] SysStringLen (param_1="LIST") returned 0x4 [0095.504] SysStringLen (param_1="MOF") returned 0x3 [0095.504] malloc (_Size=0x18) returned 0x32e9a8 [0095.504] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.505] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.505] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.505] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=8, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.505] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="csv.xsl") returned 0x0 [0095.505] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.505] malloc (_Size=0xc) returned 0x32f368 [0095.505] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.505] free (_Block=0x32f368) [0095.505] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="CSV", varVal2=0x0)) returned 0x0 [0095.505] malloc (_Size=0xc) returned 0x32f368 [0095.505] malloc (_Size=0xc) returned 0x32f380 [0095.505] SysStringLen (param_1="CSV") returned 0x3 [0095.506] SysStringLen (param_1="TABLE") returned 0x5 [0095.506] SysStringLen (param_1="CSV") returned 0x3 [0095.506] SysStringLen (param_1="LIST") returned 0x4 [0095.506] SysStringLen (param_1="CSV") returned 0x3 [0095.506] SysStringLen (param_1="HTABLE") returned 0x6 [0095.506] SysStringLen (param_1="CSV") returned 0x3 [0095.506] SysStringLen (param_1="HFORM") returned 0x5 [0095.506] malloc (_Size=0x18) returned 0x32e9c8 [0095.506] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.506] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.506] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.506] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=9, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.506] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="texttable.xsl") returned 0x0 [0095.506] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.506] malloc (_Size=0xc) returned 0x32f398 [0095.506] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.507] free (_Block=0x32f398) [0095.507] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0095.507] malloc (_Size=0xc) returned 0x32f398 [0095.507] malloc (_Size=0xc) returned 0x32f3b0 [0095.507] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.507] SysStringLen (param_1="TABLE") returned 0x5 [0095.507] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.507] SysStringLen (param_1="VALUE") returned 0x5 [0095.507] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.507] SysStringLen (param_1="XML") returned 0x3 [0095.507] SysStringLen (param_1="XML") returned 0x3 [0095.507] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.507] malloc (_Size=0x18) returned 0x32e9e8 [0095.507] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.507] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.508] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.508] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=10, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.508] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="texttable.xsl") returned 0x0 [0095.508] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.508] malloc (_Size=0xc) returned 0x32f3c8 [0095.508] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.508] free (_Block=0x32f3c8) [0095.508] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0095.508] malloc (_Size=0xc) returned 0x32f3c8 [0095.508] malloc (_Size=0xc) returned 0x32f3e0 [0095.508] SysStringLen (param_1="texttablewsys") returned 0xd [0095.508] SysStringLen (param_1="TABLE") returned 0x5 [0095.508] SysStringLen (param_1="texttablewsys") returned 0xd [0095.509] SysStringLen (param_1="XML") returned 0x3 [0095.509] SysStringLen (param_1="texttablewsys") returned 0xd [0095.509] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.509] SysStringLen (param_1="XML") returned 0x3 [0095.509] SysStringLen (param_1="texttablewsys") returned 0xd [0095.509] malloc (_Size=0x18) returned 0x32ea08 [0095.509] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.509] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.509] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.509] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=11, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.509] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="texttable.xsl") returned 0x0 [0095.509] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.509] malloc (_Size=0xc) returned 0x32f3f8 [0095.509] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.510] free (_Block=0x32f3f8) [0095.510] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0095.510] malloc (_Size=0xc) returned 0x32f3f8 [0095.510] malloc (_Size=0xc) returned 0x32f410 [0095.510] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.510] SysStringLen (param_1="TABLE") returned 0x5 [0095.510] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.510] SysStringLen (param_1="XML") returned 0x3 [0095.510] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.510] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.510] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.510] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.510] malloc (_Size=0x18) returned 0x32ea28 [0095.510] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.510] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.510] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.510] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=12, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.511] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="texttable.xsl") returned 0x0 [0095.511] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.511] malloc (_Size=0xc) returned 0x32f428 [0095.511] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.511] free (_Block=0x32f428) [0095.511] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0095.511] malloc (_Size=0xc) returned 0x32f428 [0095.511] malloc (_Size=0xc) returned 0x32f440 [0095.511] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.511] SysStringLen (param_1="TABLE") returned 0x5 [0095.511] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.511] SysStringLen (param_1="XML") returned 0x3 [0095.511] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.512] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.512] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.512] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.512] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.512] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.512] malloc (_Size=0x18) returned 0x32ea48 [0095.512] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.512] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.512] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.512] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=13, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.512] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="texttable.xsl") returned 0x0 [0095.512] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.512] malloc (_Size=0xc) returned 0x32f458 [0095.512] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.513] free (_Block=0x32f458) [0095.513] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0095.513] malloc (_Size=0xc) returned 0x32f458 [0095.513] malloc (_Size=0xc) returned 0x32f470 [0095.513] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.513] SysStringLen (param_1="TABLE") returned 0x5 [0095.513] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.513] SysStringLen (param_1="XML") returned 0x3 [0095.513] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.513] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.513] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.513] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.513] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.513] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.513] malloc (_Size=0x18) returned 0x32ea68 [0095.513] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.513] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.513] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.514] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=14, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.514] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="texttable.xsl") returned 0x0 [0095.514] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.514] malloc (_Size=0xc) returned 0x32f488 [0095.514] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.514] free (_Block=0x32f488) [0095.514] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0095.514] malloc (_Size=0xc) returned 0x32f488 [0095.514] malloc (_Size=0xc) returned 0x32f4a0 [0095.514] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.514] SysStringLen (param_1="TABLE") returned 0x5 [0095.514] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.514] SysStringLen (param_1="XML") returned 0x3 [0095.514] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.514] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.515] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.515] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.515] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.515] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.515] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.515] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0095.515] malloc (_Size=0x18) returned 0x32ea88 [0095.515] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.515] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.515] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.515] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=15, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.515] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="htable.xsl") returned 0x0 [0095.515] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.515] malloc (_Size=0xc) returned 0x32f4b8 [0095.515] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.516] free (_Block=0x32f4b8) [0095.516] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0095.516] malloc (_Size=0xc) returned 0x32f4b8 [0095.516] malloc (_Size=0xc) returned 0x32f4d0 [0095.516] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.516] SysStringLen (param_1="TABLE") returned 0x5 [0095.516] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.516] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.516] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.516] SysStringLen (param_1="XML") returned 0x3 [0095.516] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.516] SysStringLen (param_1="texttablewsys") returned 0xd [0095.516] SysStringLen (param_1="XML") returned 0x3 [0095.516] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.516] malloc (_Size=0x18) returned 0x32eaa8 [0095.516] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.516] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.517] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.517] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=16, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.517] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="htable.xsl") returned 0x0 [0095.517] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.517] malloc (_Size=0xc) returned 0x32f4e8 [0095.517] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.517] free (_Block=0x32f4e8) [0095.517] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0095.518] malloc (_Size=0xc) returned 0x32f4e8 [0095.518] malloc (_Size=0xc) returned 0x32f500 [0095.518] SysStringLen (param_1="htable-sortby") returned 0xd [0095.518] SysStringLen (param_1="TABLE") returned 0x5 [0095.518] SysStringLen (param_1="htable-sortby") returned 0xd [0095.518] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.518] SysStringLen (param_1="htable-sortby") returned 0xd [0095.518] SysStringLen (param_1="XML") returned 0x3 [0095.518] SysStringLen (param_1="htable-sortby") returned 0xd [0095.518] SysStringLen (param_1="texttablewsys") returned 0xd [0095.518] SysStringLen (param_1="htable-sortby") returned 0xd [0095.518] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0095.518] SysStringLen (param_1="XML") returned 0x3 [0095.518] SysStringLen (param_1="htable-sortby") returned 0xd [0095.518] malloc (_Size=0x18) returned 0x32eac8 [0095.518] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.518] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.518] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.518] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=17, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.519] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="mof.xsl") returned 0x0 [0095.519] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.519] malloc (_Size=0xc) returned 0x32f518 [0095.519] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.519] free (_Block=0x32f518) [0095.519] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0095.519] malloc (_Size=0xc) returned 0x32f518 [0095.519] malloc (_Size=0xc) returned 0x32f530 [0095.519] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.519] SysStringLen (param_1="TABLE") returned 0x5 [0095.519] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.519] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.519] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.519] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.519] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.520] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.520] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.520] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.520] malloc (_Size=0x18) returned 0x32eae8 [0095.520] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.520] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.520] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.520] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=18, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.520] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="mof.xsl") returned 0x0 [0095.520] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.520] malloc (_Size=0xc) returned 0x32f548 [0095.520] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.520] free (_Block=0x32f548) [0095.521] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0095.521] malloc (_Size=0xc) returned 0x32f548 [0095.521] malloc (_Size=0xc) returned 0x32f560 [0095.521] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.521] SysStringLen (param_1="TABLE") returned 0x5 [0095.521] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.521] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.521] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.521] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.521] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.521] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0095.521] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.521] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0095.521] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.521] SysStringLen (param_1="wmiclimofformat") returned 0xf [0095.521] malloc (_Size=0x18) returned 0x32eb08 [0095.521] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.521] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.522] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.522] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=19, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.522] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="textvaluelist.xsl") returned 0x0 [0095.522] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.522] malloc (_Size=0xc) returned 0x32f578 [0095.522] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.522] free (_Block=0x32f578) [0095.522] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0095.522] malloc (_Size=0xc) returned 0x32f578 [0095.522] malloc (_Size=0xc) returned 0x32f590 [0095.522] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.522] SysStringLen (param_1="TABLE") returned 0x5 [0095.522] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.522] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.523] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.523] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.523] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.523] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.523] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.523] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.523] malloc (_Size=0x18) returned 0x32eb28 [0095.523] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.523] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.523] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.523] IXMLDOMNodeList:get_item (in: This=0xb98e80, index=20, listItem=0xcfb78 | out: listItem=0xcfb78*=0xb94b20) returned 0x0 [0095.523] IXMLDOMNode:get_text (in: This=0xb94b20, text=0xcfb80 | out: text=0xcfb80*="textvaluelist.xsl") returned 0x0 [0095.523] IXMLDOMNode:get_attributes (in: This=0xb94b20, attributeMap=0xcfb74 | out: attributeMap=0xcfb74*=0xb98cf8) returned 0x0 [0095.523] malloc (_Size=0xc) returned 0x32f5a8 [0095.523] IXMLDOMNamedNodeMap:getNamedItem (in: This=0xb98cf8, name="KEYWORD", namedItem=0xcfb70 | out: namedItem=0xcfb70*=0xb98c98) returned 0x0 [0095.524] free (_Block=0x32f5a8) [0095.524] IXMLDOMNode:get_nodeValue (in: This=0xb98c98, value=0xcfb1c | out: value=0xcfb1c*(varType=0x8, wReserved1=0x32, wReserved2=0x2e98, wReserved3=0x32, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0095.524] malloc (_Size=0xc) returned 0x32f5a8 [0095.524] malloc (_Size=0xc) returned 0x32f5c0 [0095.524] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.524] SysStringLen (param_1="TABLE") returned 0x5 [0095.524] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.524] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0095.524] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.524] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0095.524] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.524] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.524] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.524] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0095.524] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0095.524] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0095.524] malloc (_Size=0x18) returned 0x32eb48 [0095.525] IUnknown:Release (This=0xb94b20) returned 0x0 [0095.525] IUnknown:Release (This=0xb98cf8) returned 0x0 [0095.525] IUnknown:Release (This=0xb98c98) returned 0x0 [0095.525] IUnknown:Release (This=0xb98e80) returned 0x0 [0095.525] FreeThreadedDOMDocument:IUnknown:Release (This=0xb98c58) returned 0x1 [0095.525] FreeThreadedDOMDocument:IUnknown:Release (This=0xb94630) returned 0x0 [0095.525] free (_Block=0x322eb0) [0095.525] GetCommandLineW () returned="wmic.exe SHADOWCOPY /nointeractive" [0095.525] malloc (_Size=0x50) returned 0x32f630 [0095.525] memcpy_s (in: _Destination=0x32f630, _DestinationSize=0x4e, _Source=0x3719a6, _SourceSize=0x44 | out: _Destination=0x32f630) returned 0x0 [0095.525] malloc (_Size=0xc) returned 0x32f5d8 [0095.525] malloc (_Size=0xc) returned 0x32f5f0 [0095.525] malloc (_Size=0xc) returned 0x32f608 [0095.525] malloc (_Size=0xc) returned 0x32f6a0 [0095.525] malloc (_Size=0x80) returned 0xbd0390 [0095.525] GetLocalTime (in: lpSystemTime=0xcfb28 | out: lpSystemTime=0xcfb28*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x12, wMinute=0xf, wSecond=0x11, wMilliseconds=0x2b9)) [0095.526] _vsnwprintf (in: _Buffer=0xbd0390, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xcfb08 | out: _Buffer="12-27-2021T18:15:17") returned 19 [0095.526] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0095.526] malloc (_Size=0x36) returned 0x323170 [0095.526] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0095.526] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0095.526] malloc (_Size=0x36) returned 0x32fa88 [0095.526] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0095.526] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0095.526] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0095.526] malloc (_Size=0x16) returned 0x32eb68 [0095.526] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.526] _wcsicmp (_String1="SHADOWCOPY", _String2="\"NULL\"") returned 81 [0095.526] malloc (_Size=0x16) returned 0x32eb88 [0095.526] malloc (_Size=0x4) returned 0x322eb0 [0095.526] free (_Block=0x0) [0095.526] free (_Block=0x32eb68) [0095.526] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0095.526] malloc (_Size=0x4) returned 0x32fac8 [0095.526] lstrlenW (lpString="/") returned 1 [0095.526] malloc (_Size=0x4) returned 0x32fad8 [0095.526] malloc (_Size=0x8) returned 0x32fae8 [0095.526] memmove_s (in: _Destination=0x32fae8, _DestinationSize=0x4, _Source=0x322eb0, _SourceSize=0x4 | out: _Destination=0x32fae8) returned 0x0 [0095.526] free (_Block=0x322eb0) [0095.526] free (_Block=0x0) [0095.526] free (_Block=0x32fac8) [0095.526] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0095.526] malloc (_Size=0x1c) returned 0x32faf8 [0095.526] lstrlenW (lpString="nointeractive") returned 13 [0095.527] _wcsicmp (_String1="nointeractive", _String2="\"NULL\"") returned 76 [0095.527] malloc (_Size=0x1c) returned 0x32fb20 [0095.527] malloc (_Size=0xc) returned 0x32f6b8 [0095.527] memmove_s (in: _Destination=0x32f6b8, _DestinationSize=0x8, _Source=0x32fae8, _SourceSize=0x8 | out: _Destination=0x32f6b8) returned 0x0 [0095.527] free (_Block=0x32fae8) [0095.527] free (_Block=0x0) [0095.527] free (_Block=0x32faf8) [0095.527] malloc (_Size=0xc) returned 0x32f6d0 [0095.527] lstrlenW (lpString="QUIT") returned 4 [0095.527] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.527] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0095.527] lstrlenW (lpString="EXIT") returned 4 [0095.527] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.527] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0095.527] free (_Block=0x32f6d0) [0095.527] WbemLocator:IUnknown:AddRef (This=0x390b20) returned 0x2 [0095.527] malloc (_Size=0xc) returned 0x32f6d0 [0095.527] lstrlenW (lpString="/") returned 1 [0095.527] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.527] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0095.527] lstrlenW (lpString="-") returned 1 [0095.527] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.527] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0095.527] lstrlenW (lpString="CLASS") returned 5 [0095.527] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.527] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0095.527] lstrlenW (lpString="PATH") returned 4 [0095.527] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.528] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0095.528] lstrlenW (lpString="CONTEXT") returned 7 [0095.528] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.528] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0095.528] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.528] malloc (_Size=0x16) returned 0x32eb68 [0095.528] lstrlenW (lpString="SHADOWCOPY") returned 10 [0095.528] GetCurrentThreadId () returned 0xa78 [0095.528] ??0CHString@@QAE@XZ () returned 0xcfa7c [0095.528] malloc (_Size=0xc) returned 0x32f6e8 [0095.528] malloc (_Size=0xc) returned 0x32f700 [0095.528] WbemLocator:IWbemLocator:ConnectServer (in: This=0x390b20, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xf2c1e0 | out: ppNamespace=0xf2c1e0*=0x3ad3e8) returned 0x0 [0096.620] free (_Block=0x32f700) [0096.620] free (_Block=0x32f6e8) [0096.620] CoSetProxyBlanket (pProxy=0x3ad3e8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0096.620] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.621] GetCurrentThreadId () returned 0xa78 [0096.621] ??0CHString@@QAE@XZ () returned 0xcfa14 [0096.621] malloc (_Size=0xc) returned 0x32f6e8 [0096.621] malloc (_Size=0xc) returned 0x32f700 [0096.621] malloc (_Size=0xc) returned 0x32f718 [0096.621] malloc (_Size=0xc) returned 0x32f730 [0096.621] SysStringLen (param_1="root\\cli") returned 0x8 [0096.621] SysStringLen (param_1="\\") returned 0x1 [0096.621] malloc (_Size=0xc) returned 0x32f748 [0096.621] SysStringLen (param_1="root\\cli\\") returned 0x9 [0096.621] SysStringLen (param_1="ms_409") returned 0x6 [0096.621] free (_Block=0x32f730) [0096.621] free (_Block=0x32f718) [0096.622] free (_Block=0x32f700) [0096.622] free (_Block=0x32f6e8) [0096.622] malloc (_Size=0xc) returned 0x32f6e8 [0096.622] WbemLocator:IWbemLocator:ConnectServer (in: This=0x390b20, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xf2c1e4 | out: ppNamespace=0xf2c1e4*=0x3ad488) returned 0x0 [0096.636] free (_Block=0x32f6e8) [0096.636] free (_Block=0x32f748) [0096.636] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.637] GetCurrentThreadId () returned 0xa78 [0096.637] ??0CHString@@QAE@XZ () returned 0xcfa80 [0096.637] malloc (_Size=0xc) returned 0x32f748 [0096.637] malloc (_Size=0xc) returned 0x32f6e8 [0096.637] malloc (_Size=0xc) returned 0x32f700 [0096.637] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0096.637] malloc (_Size=0x3a) returned 0x32ff88 [0096.637] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xee1f7c, cbMultiByte=-1, lpWideCharStr=0x32ff88, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0096.638] free (_Block=0x32ff88) [0096.638] malloc (_Size=0xc) returned 0x32f718 [0096.638] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0096.638] SysStringLen (param_1="SHADOWCOPY") returned 0xa [0096.638] malloc (_Size=0xc) returned 0x32f730 [0096.638] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='SHADOWCOPY") returned 0x26 [0096.638] SysStringLen (param_1="'") returned 0x1 [0096.638] free (_Block=0x32f718) [0096.639] free (_Block=0x32f700) [0096.639] free (_Block=0x32f6e8) [0096.639] free (_Block=0x32f748) [0096.639] IWbemServices:GetObject (in: This=0x3ad3e8, strObjectPath="MSFT_CliAlias.FriendlyName='SHADOWCOPY'", lFlags=0, pCtx=0x0, ppObject=0xcfa7c*=0x0, ppCallResult=0x0 | out: ppObject=0xcfa7c*=0x3dbdd8, ppCallResult=0x0) returned 0x0 [0096.664] malloc (_Size=0xc) returned 0x32f748 [0096.664] IWbemClassObject:Get (in: This=0x3dbdd8, wszName="Target", lFlags=0, pVal=0xcfa3c*(varType=0x0, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0xf1, varVal1=0xffffffff, varVal2=0xeea03c), pType=0x0, plFlavor=0x0 | out: pVal=0xcfa3c*(varType=0x8, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0xf1, varVal1="Select * from Win32_ShadowCopy", varVal2=0xeea03c), pType=0x0, plFlavor=0x0) returned 0x0 [0096.665] free (_Block=0x32f748) [0096.665] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0096.665] malloc (_Size=0x3e) returned 0x32ff88 [0096.665] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0096.665] malloc (_Size=0xc) returned 0x32f748 [0096.665] IWbemClassObject:Get (in: This=0x3dbdd8, wszName="PWhere", lFlags=0, pVal=0xcfa3c*(varType=0x0, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0xf1, varVal1=0x3aaf74, varVal2=0xeea03c), pType=0x0, plFlavor=0x0 | out: pVal=0xcfa3c*(varType=0x8, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0xf1, varVal1=" Where ID = '#'", varVal2=0xeea03c), pType=0x0, plFlavor=0x0) returned 0x0 [0096.665] free (_Block=0x32f748) [0096.665] lstrlenW (lpString=" Where ID = '#'") returned 15 [0096.665] malloc (_Size=0x20) returned 0x32fae8 [0096.665] lstrlenW (lpString=" Where ID = '#'") returned 15 [0096.665] malloc (_Size=0xc) returned 0x32f748 [0096.665] IWbemClassObject:Get (in: This=0x3dbdd8, wszName="Connection", lFlags=0, pVal=0xcfa3c*(varType=0x0, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0xf1, varVal1=0x3c4a1c, varVal2=0xeea03c), pType=0x0, plFlavor=0x0 | out: pVal=0xcfa3c*(varType=0xd, wReserved1=0xc, wReserved2=0xe58c, wReserved3=0xf1, varVal1=0x3dc198, varVal2=0xeea03c), pType=0x0, plFlavor=0x0) returned 0x0 [0096.665] free (_Block=0x32f748) [0096.665] IUnknown:QueryInterface (in: This=0x3dc198, riid=0xee6b50*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0xcfa74 | out: ppvObject=0xcfa74*=0x3dc198) returned 0x0 [0096.666] GetCurrentThreadId () returned 0xa78 [0096.666] ??0CHString@@QAE@XZ () returned 0xcf9f0 [0096.666] malloc (_Size=0xc) returned 0x32f748 [0096.666] IWbemClassObject:Get (in: This=0x3dc198, wszName="Namespace", lFlags=0, pVal=0xcf9c0*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf9c0*(varType=0x8, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0096.666] free (_Block=0x32f748) [0096.666] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0096.666] malloc (_Size=0x16) returned 0x32eba8 [0096.666] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0096.666] malloc (_Size=0xc) returned 0x32f748 [0096.666] IWbemClassObject:Get (in: This=0x3dc198, wszName="Locale", lFlags=0, pVal=0xcf9c0*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=0x3c07ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf9c0*(varType=0x8, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0096.666] free (_Block=0x32f748) [0096.666] lstrlenW (lpString="ms_409") returned 6 [0096.666] malloc (_Size=0xe) returned 0x32f748 [0096.666] lstrlenW (lpString="ms_409") returned 6 [0096.666] malloc (_Size=0xc) returned 0x32f6e8 [0096.666] IWbemClassObject:Get (in: This=0x3dc198, wszName="User", lFlags=0, pVal=0xcf9c0*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=0x3c07ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf9c0*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=0x3c07ec, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0096.666] free (_Block=0x32f6e8) [0096.666] malloc (_Size=0xc) returned 0x32f6e8 [0096.666] IWbemClassObject:Get (in: This=0x3dc198, wszName="Password", lFlags=0, pVal=0xcf9c0*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=0x3c07ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf9c0*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=0x3c07ec, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0096.666] free (_Block=0x32f6e8) [0096.667] malloc (_Size=0xc) returned 0x32f6e8 [0096.667] IWbemClassObject:Get (in: This=0x3dc198, wszName="Server", lFlags=0, pVal=0xcf9c0*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=0x3c07ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf9c0*(varType=0x8, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0096.667] free (_Block=0x32f6e8) [0096.667] lstrlenW (lpString=".") returned 1 [0096.667] malloc (_Size=0x4) returned 0x32fb10 [0096.667] lstrlenW (lpString=".") returned 1 [0096.667] malloc (_Size=0xc) returned 0x32f6e8 [0096.667] IWbemClassObject:Get (in: This=0x3dc198, wszName="Authority", lFlags=0, pVal=0xcf9c0*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=0x3c07ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf9c0*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x32, varVal1=0x3c07ec, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0096.667] free (_Block=0x32f6e8) [0096.667] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.667] IUnknown:Release (This=0x3dc198) returned 0x1 [0096.667] GetCurrentThreadId () returned 0xa78 [0096.667] ??0CHString@@QAE@XZ () returned 0xcf9e8 [0096.667] malloc (_Size=0xc) returned 0x32f6e8 [0096.667] IWbemClassObject:Get (in: This=0x3dbdd8, wszName="__RELPATH", lFlags=0, pVal=0xcf9c8*(varType=0x0, wReserved1=0x0, wReserved2=0xc198, wReserved3=0x3d, varVal1=0xcf9e0, varVal2=0x72a3ba69), pType=0x0, plFlavor=0x0 | out: pVal=0xcf9c8*(varType=0x8, wReserved1=0x0, wReserved2=0xc198, wReserved3=0x3d, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x72a3ba69), pType=0x0, plFlavor=0x0) returned 0x0 [0096.671] free (_Block=0x32f6e8) [0096.671] malloc (_Size=0xc) returned 0x32f6e8 [0096.671] GetCurrentThreadId () returned 0xa78 [0096.671] ??0CHString@@QAE@XZ () returned 0xcf978 [0096.671] ??0CHString@@QAE@PBG@Z () returned 0xcf964 [0096.671] ??0CHString@@QAE@ABV0@@Z () returned 0xcf904 [0096.671] ?Empty@CHString@@QAEXXZ () returned 0x72b9d828 [0096.671] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0xbd2268 [0096.671] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0096.671] ?Left@CHString@@QBE?AV1@H@Z () returned 0xcf8e4 [0096.671] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0xcf8e8 [0096.671] ??YCHString@@QAEABV0@ABV0@@Z () returned 0xcf964 [0096.671] ??1CHString@@QAE@XZ () returned 0x1 [0096.671] ??1CHString@@QAE@XZ () returned 0x1 [0096.671] ?Mid@CHString@@QBE?AV1@H@Z () returned 0xcf8e0 [0096.671] ??4CHString@@QAEABV0@ABV0@@Z () returned 0xcf904 [0096.671] ??1CHString@@QAE@XZ () returned 0xbd22d0 [0096.671] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0xbd22d0 [0096.671] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0096.671] ?Left@CHString@@QBE?AV1@H@Z () returned 0xcf8e4 [0096.671] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0xcf8e8 [0096.672] ??YCHString@@QAEABV0@ABV0@@Z () returned 0xcf964 [0096.672] ??1CHString@@QAE@XZ () returned 0x1 [0096.672] ??1CHString@@QAE@XZ () returned 0x1 [0096.672] ?Mid@CHString@@QBE?AV1@H@Z () returned 0xcf8e0 [0096.672] ??4CHString@@QAEABV0@ABV0@@Z () returned 0xcf904 [0096.672] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.672] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x72b9d81c [0096.672] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.672] malloc (_Size=0xc) returned 0x32f700 [0096.672] malloc (_Size=0xc) returned 0x32f718 [0096.672] malloc (_Size=0xc) returned 0x32f760 [0096.672] malloc (_Size=0xc) returned 0x32f778 [0096.672] malloc (_Size=0xc) returned 0x32f790 [0096.672] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0096.672] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0096.672] malloc (_Size=0xc) returned 0x32f7a8 [0096.672] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0096.672] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0096.673] malloc (_Size=0xc) returned 0x32f7c0 [0096.673] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0096.673] SysStringLen (param_1="\"") returned 0x1 [0096.673] free (_Block=0x32f7a8) [0096.673] free (_Block=0x32f790) [0096.673] free (_Block=0x32f778) [0096.673] free (_Block=0x32f760) [0096.673] free (_Block=0x32f718) [0096.673] free (_Block=0x32f700) [0096.674] IWbemServices:GetObject (in: This=0x3ad488, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0xcf980*=0x0, ppCallResult=0x0 | out: ppObject=0xcf980*=0x3dc578, ppCallResult=0x0) returned 0x0 [0096.677] malloc (_Size=0xc) returned 0x32f700 [0096.677] IWbemClassObject:Get (in: This=0x3dc578, wszName="Text", lFlags=0, pVal=0xcf92c*(varType=0x0, wReserved1=0x3a, wReserved2=0x41ec, wReserved3=0x39, varVal1=0x4e, varVal2=0xf2c1e0), pType=0x0, plFlavor=0x0 | out: pVal=0xcf92c*(varType=0x2008, wReserved1=0x3a, wReserved2=0x41ec, wReserved3=0x39, varVal1=0x3dc738*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x3c79f0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xf2c1e0), pType=0x0, plFlavor=0x0) returned 0x0 [0096.677] free (_Block=0x32f700) [0096.677] SafeArrayGetLBound (in: psa=0x3dc738, nDim=0x1, plLbound=0xcf944 | out: plLbound=0xcf944) returned 0x0 [0096.677] SafeArrayGetUBound (in: psa=0x3dc738, nDim=0x1, plUbound=0xcf940 | out: plUbound=0xcf940) returned 0x0 [0096.678] SafeArrayGetElement (in: psa=0x3dc738, rgIndices=0xcf9a4, pv=0xcf96c | out: pv=0xcf96c) returned 0x0 [0096.678] malloc (_Size=0xc) returned 0x32f700 [0096.678] malloc (_Size=0xc) returned 0x32f718 [0096.678] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0096.678] free (_Block=0x32f700) [0096.678] IUnknown:Release (This=0x3dc578) returned 0x0 [0096.678] free (_Block=0x32f7c0) [0096.678] ??1CHString@@QAE@XZ () returned 0x1 [0096.678] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.678] free (_Block=0x32f6e8) [0096.678] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.678] lstrlenW (lpString="Shadow copy management.") returned 23 [0096.678] malloc (_Size=0x30) returned 0xbd2268 [0096.678] lstrlenW (lpString="Shadow copy management.") returned 23 [0096.678] free (_Block=0x32f718) [0096.678] IUnknown:Release (This=0x3dbdd8) returned 0x0 [0096.678] free (_Block=0x32f730) [0096.679] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.679] lstrlenW (lpString="PATH") returned 4 [0096.679] lstrlenW (lpString="/") returned 1 [0096.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="PATH", cchCount2=4) returned 1 [0096.679] lstrlenW (lpString="WHERE") returned 5 [0096.679] lstrlenW (lpString="/") returned 1 [0096.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="WHERE", cchCount2=5) returned 1 [0096.679] lstrlenW (lpString="(") returned 1 [0096.679] lstrlenW (lpString="/") returned 1 [0096.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="(", cchCount2=1) returned 3 [0096.679] lstrlenW (lpString="/") returned 1 [0096.679] lstrlenW (lpString="/") returned 1 [0096.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="/", cchCount2=1) returned 2 [0096.679] lstrlenW (lpString="?") returned 1 [0096.679] lstrlenW (lpString="nointeractive") returned 13 [0096.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="nointeractive", cchCount1=13, lpString2="?", cchCount2=1) returned 3 [0096.679] free (_Block=0x32f6d0) [0096.679] GetCurrentThreadId () returned 0xa78 [0096.679] ??0CHString@@QAE@PBG@Z () returned 0xcfb1c [0096.679] ??YCHString@@QAEABV0@PBG@Z () returned 0xcfb1c [0096.679] malloc (_Size=0x800) returned 0xbd2328 [0096.679] LoadStringW (in: hInstance=0x0, uID=0xac5c, lpBuffer=0xbd2328, cchBufferMax=1024 | out: lpBuffer="Unexpected switch at this level.\r\n") returned 0x22 [0096.680] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Unexpected switch at this level.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0096.680] malloc (_Size=0x23) returned 0xbd2b30 [0096.680] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Unexpected switch at this level.\r\n", cchWideChar=-1, lpMultiByteStr=0xbd2b30, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Unexpected switch at this level.\r\n", lpUsedDefaultChar=0x0) returned 35 [0096.680] fprintf (in: _File=0x76d62940, _Format="%s" | out: _File=0x76d62940) returned 34 [0096.681] fflush (in: _File=0x76d62940 | out: _File=0x76d62940) returned 0 [0096.682] free (_Block=0xbd2b30) [0096.682] free (_Block=0xbd2328) [0096.682] ??1CHString@@QAE@XZ () returned 0x1 [0096.682] ??0CHString@@QAE@PBG@Z () returned 0xcfb3c [0096.682] ??YCHString@@QAEABV0@PBG@Z () returned 0xcfb3c [0096.682] GetCurrentThreadId () returned 0xa78 [0096.682] GetLastError () returned 0x0 [0096.682] ??1CHString@@QAE@XZ () returned 0x1 [0096.682] free (_Block=0x32f6a0) [0096.683] free (_Block=0x32f608) [0096.683] free (_Block=0x32f5f0) [0096.683] free (_Block=0x32f5d8) [0096.683] free (_Block=0x323170) [0096.683] free (_Block=0x32eb68) [0096.683] free (_Block=0xbd2268) [0096.684] free (_Block=0x32ff88) [0096.684] free (_Block=0x32f748) [0096.684] free (_Block=0x32eba8) [0096.684] free (_Block=0x32fb10) [0096.684] free (_Block=0x322e38) [0096.684] free (_Block=0x32fae8) [0096.684] ?Empty@CHString@@QAEXXZ () returned 0x72b9d81c [0096.685] free (_Block=0x32fa88) [0096.685] free (_Block=0x32eb88) [0096.685] free (_Block=0x32fad8) [0096.685] free (_Block=0x32fb20) [0096.685] free (_Block=0x323f68) [0096.685] free (_Block=0x322728) [0096.686] free (_Block=0x322770) [0096.686] free (_Block=0x3227b8) [0096.686] free (_Block=0x322810) [0096.686] free (_Block=0x322e20) [0096.686] free (_Block=0x32e8a8) [0096.686] free (_Block=0x322e08) [0096.686] free (_Block=0x32e888) [0096.686] free (_Block=0x3229f0) [0096.686] free (_Block=0x32e868) [0096.686] free (_Block=0x322948) [0096.686] free (_Block=0x322960) [0096.686] free (_Block=0x322910) [0096.686] free (_Block=0x322928) [0096.686] free (_Block=0x322980) [0096.686] free (_Block=0x322998) [0096.686] free (_Block=0x3229b8) [0096.686] free (_Block=0x3229d0) [0096.686] free (_Block=0x3228a0) [0096.686] free (_Block=0x3228b8) [0096.687] free (_Block=0x322868) [0096.687] free (_Block=0x322880) [0096.687] free (_Block=0x3228d8) [0096.687] free (_Block=0x3228f0) [0096.687] free (_Block=0x322830) [0096.687] free (_Block=0x322848) [0096.687] free (_Block=0x3227d8) [0096.688] free (_Block=0x323fb0) [0096.688] free (_Block=0xbd0390) [0096.688] WbemLocator:IUnknown:Release (This=0x3ad488) returned 0x0 [0096.689] WbemLocator:IUnknown:Release (This=0x3ad3e8) returned 0x0 [0096.689] WbemLocator:IUnknown:Release (This=0x390b20) returned 0x1 [0096.689] ?Empty@CHString@@QAEXXZ () returned 0x72b9d81c [0096.689] WbemLocator:IUnknown:Release (This=0x390b20) returned 0x0 [0096.689] free (_Block=0x32f578) [0096.689] free (_Block=0x32f590) [0096.689] free (_Block=0x32eb28) [0096.690] free (_Block=0x32f5a8) [0096.690] free (_Block=0x32f5c0) [0096.690] free (_Block=0x32eb48) [0096.690] free (_Block=0x32f458) [0096.690] free (_Block=0x32f470) [0096.690] free (_Block=0x32ea68) [0096.690] free (_Block=0x32f488) [0096.690] free (_Block=0x32f4a0) [0096.690] free (_Block=0x32ea88) [0096.690] free (_Block=0x32f3f8) [0096.690] free (_Block=0x32f410) [0096.690] free (_Block=0x32ea28) [0096.690] free (_Block=0x32f428) [0096.690] free (_Block=0x32f440) [0096.690] free (_Block=0x32ea48) [0096.691] free (_Block=0x32f518) [0096.691] free (_Block=0x32f530) [0096.691] free (_Block=0x32eae8) [0096.691] free (_Block=0x32f548) [0096.691] free (_Block=0x32f560) [0096.691] free (_Block=0x32eb08) [0096.691] free (_Block=0x32f398) [0096.691] free (_Block=0x32f3b0) [0096.691] free (_Block=0x32e9e8) [0096.691] free (_Block=0x32f3c8) [0096.691] free (_Block=0x32f3e0) [0096.691] free (_Block=0x32ea08) [0096.691] free (_Block=0x32f4b8) [0096.691] free (_Block=0x32f4d0) [0096.691] free (_Block=0x32eaa8) [0096.692] free (_Block=0x32f4e8) [0096.692] free (_Block=0x32f500) [0096.692] free (_Block=0x32eac8) [0096.692] free (_Block=0x32f308) [0096.692] free (_Block=0x32f320) [0096.692] free (_Block=0x32e988) [0096.692] free (_Block=0x323140) [0096.692] free (_Block=0x323158) [0096.692] free (_Block=0x32e8e8) [0096.692] free (_Block=0x322e80) [0096.692] free (_Block=0x322e98) [0096.692] free (_Block=0x32e8c8) [0096.692] free (_Block=0x32f278) [0096.692] free (_Block=0x32f290) [0096.692] free (_Block=0x32e928) [0096.692] free (_Block=0x32f338) [0096.693] free (_Block=0x32f350) [0096.693] free (_Block=0x32e9a8) [0096.693] free (_Block=0x32f248) [0096.693] free (_Block=0x32f260) [0096.693] free (_Block=0x32e908) [0096.693] free (_Block=0x32f2a8) [0096.693] free (_Block=0x32f2c0) [0096.693] free (_Block=0x32e948) [0096.693] free (_Block=0x32f2d8) [0096.693] free (_Block=0x32f2f0) [0096.693] free (_Block=0x32e968) [0096.693] free (_Block=0x32f368) [0096.693] free (_Block=0x32f380) [0096.693] free (_Block=0x32e9c8) [0096.693] CoUninitialize () [0096.732] exit (_Code=44124) [0096.733] free (_Block=0x32f630) [0096.733] free (_Block=0x323e38) [0096.734] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.734] free (_Block=0x322f58) [0096.735] free (_Block=0x323fd8) [0096.735] free (_Block=0x323e18) [0096.735] free (_Block=0x323df8) [0096.735] free (_Block=0x323dc8) [0096.735] free (_Block=0x323da8) [0096.735] free (_Block=0x3213d8) [0096.736] free (_Block=0x323d68) [0096.736] free (_Block=0x3213b8) [0096.736] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0096.736] free (_Block=0x32f6b8) Thread: id = 62 os_tid = 0x88c Thread: id = 80 os_tid = 0xa84 Thread: id = 81 os_tid = 0x9f8 Thread: id = 82 os_tid = 0x134 Process: id = "4" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x4f18e000" os_pid = "0xa94" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0004b130" [0xc000000f] Region: id = 2716 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2717 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2718 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2719 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2720 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2721 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2722 start_va = 0xd0000 end_va = 0xd4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2723 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2724 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2725 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 2726 start_va = 0x110000 end_va = 0x11cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2727 start_va = 0x120000 end_va = 0x122fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2728 start_va = 0x130000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 2729 start_va = 0x1b0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2730 start_va = 0x2b0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 2731 start_va = 0x3b0000 end_va = 0x537fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 2732 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 2733 start_va = 0x550000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 2734 start_va = 0x6e0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2735 start_va = 0x7a0000 end_va = 0xa6efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2736 start_va = 0xa70000 end_va = 0xa74fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 2737 start_va = 0xa80000 end_va = 0xa82fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cimwin32.dll.mui" filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui") Region: id = 2738 start_va = 0xab0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 2739 start_va = 0xb50000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 2740 start_va = 0xc10000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 2741 start_va = 0xce0000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 2742 start_va = 0xe30000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 2743 start_va = 0xf30000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 2744 start_va = 0x1030000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 2745 start_va = 0x10b0000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 2746 start_va = 0x11b0000 end_va = 0x122ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 2747 start_va = 0x72c90000 end_va = 0x72c92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "security.dll" filename = "\\Windows\\System32\\security.dll" (normalized: "c:\\windows\\system32\\security.dll") Region: id = 2748 start_va = 0x72ca0000 end_va = 0x72ca2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmi.dll" filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll") Region: id = 2749 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2750 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2751 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2752 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2753 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2754 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2755 start_va = 0x13f320000 end_va = 0x13f38bfff monitored = 0 entry_point = 0x13f35b450 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 2756 start_va = 0x7fef0ce0000 end_va = 0x7fef0ed9fff monitored = 0 entry_point = 0x7fef0cf4c9c region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 2757 start_va = 0x7fef1470000 end_va = 0x7fef1479fff monitored = 0 entry_point = 0x7fef14731c8 region_type = mapped_file name = "schedcli.dll" filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll") Region: id = 2758 start_va = 0x7fef2a30000 end_va = 0x7fef2a41fff monitored = 0 entry_point = 0x7fef2a3aab8 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 2759 start_va = 0x7fef2a50000 end_va = 0x7fef2a57fff monitored = 0 entry_point = 0x7fef2a511a0 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 2760 start_va = 0x7fef4eb0000 end_va = 0x7fef4ec1fff monitored = 0 entry_point = 0x7fef4eb89d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2761 start_va = 0x7fef5000000 end_va = 0x7fef5020fff monitored = 0 entry_point = 0x7fef50103b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2762 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2763 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2764 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2765 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2766 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2767 start_va = 0x7fef96a0000 end_va = 0x7fef96e2fff monitored = 0 entry_point = 0x7fef96c1b50 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2768 start_va = 0x7fef99e0000 end_va = 0x7fef99eefff monitored = 0 entry_point = 0x7fef99e1040 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 2769 start_va = 0x7fefb300000 end_va = 0x7fefb30bfff monitored = 0 entry_point = 0x7fefb3015d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 2770 start_va = 0x7fefb6f0000 end_va = 0x7fefb71bfff monitored = 0 entry_point = 0x7fefb6f15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2771 start_va = 0x7fefb920000 end_va = 0x7fefb933fff monitored = 0 entry_point = 0x7fefb9216b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2772 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2773 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2774 start_va = 0x7fefb970000 end_va = 0x7fefb985fff monitored = 0 entry_point = 0x7fefb9711a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2775 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2776 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2777 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2778 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2779 start_va = 0x7fefcdd0000 end_va = 0x7fefce26fff monitored = 0 entry_point = 0x7fefcdd5e38 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 2780 start_va = 0x7fefce30000 end_va = 0x7fefce5ffff monitored = 0 entry_point = 0x7fefce3194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 2781 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2782 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2783 start_va = 0x7fefd540000 end_va = 0x7fefd562fff monitored = 0 entry_point = 0x7fefd541198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2784 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2785 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2786 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2787 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2788 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2789 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2790 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2791 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2792 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2793 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2794 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2795 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2796 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2797 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2798 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2799 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2800 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2801 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2802 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2803 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2804 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2805 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2806 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2807 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2808 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2809 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2810 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2811 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2812 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2813 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2814 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2815 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2816 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2817 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2818 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2819 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2820 start_va = 0x7fffffda000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2821 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2822 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3147 start_va = 0x7fefb100000 end_va = 0x7fefb12bfff monitored = 0 entry_point = 0x7fefb118194 region_type = mapped_file name = "wmipcima.dll" filename = "\\Windows\\System32\\wbem\\wmipcima.dll" (normalized: "c:\\windows\\system32\\wbem\\wmipcima.dll") Thread: id = 63 os_tid = 0xaa8 Thread: id = 64 os_tid = 0xa9c Thread: id = 65 os_tid = 0xa98 Thread: id = 66 os_tid = 0xa90 Thread: id = 67 os_tid = 0xa88 Thread: id = 68 os_tid = 0xac4 Thread: id = 69 os_tid = 0xab4 Thread: id = 70 os_tid = 0xaa4 Thread: id = 71 os_tid = 0xa8c Thread: id = 176 os_tid = 0xb54 Process: id = "5" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x65f7a000" os_pid = "0x5cc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2467 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2468 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2469 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2470 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2471 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2472 start_va = 0x60000 end_va = 0x64fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2473 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2474 start_va = 0x80000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 2475 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 2476 start_va = 0x190000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2477 start_va = 0x210000 end_va = 0x276fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2478 start_va = 0x280000 end_va = 0x280fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 2479 start_va = 0x300000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2480 start_va = 0x310000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2481 start_va = 0x410000 end_va = 0x597fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2482 start_va = 0x5a0000 end_va = 0x720fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 2483 start_va = 0x730000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 2484 start_va = 0x7f0000 end_va = 0xabefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2485 start_va = 0xaf0000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 2486 start_va = 0xb70000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 2487 start_va = 0xbf0000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 2488 start_va = 0xd20000 end_va = 0xd9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 2489 start_va = 0xda0000 end_va = 0xe1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 2490 start_va = 0xe60000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 2491 start_va = 0xf20000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 2492 start_va = 0xfa0000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 2493 start_va = 0x1110000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 2494 start_va = 0x1300000 end_va = 0x137ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 2495 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2496 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2497 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2498 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2499 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2500 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2501 start_va = 0x13f320000 end_va = 0x13f38bfff monitored = 0 entry_point = 0x13f35b450 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 2502 start_va = 0x7fef13f0000 end_va = 0x7fef143dfff monitored = 0 entry_point = 0x7fef13f1198 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 2503 start_va = 0x7fef1440000 end_va = 0x7fef1464fff monitored = 0 entry_point = 0x7fef1458d6c region_type = mapped_file name = "wmiperfclass.dll" filename = "\\Windows\\System32\\wbem\\WmiPerfClass.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiperfclass.dll") Region: id = 2504 start_va = 0x7fef4eb0000 end_va = 0x7fef4ec1fff monitored = 0 entry_point = 0x7fef4eb89d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2505 start_va = 0x7fef5000000 end_va = 0x7fef5020fff monitored = 0 entry_point = 0x7fef50103b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2506 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2507 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2508 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2509 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2510 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2511 start_va = 0x7fef8290000 end_va = 0x7fef8315fff monitored = 0 entry_point = 0x7fef829ffd0 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2512 start_va = 0x7fef8320000 end_va = 0x7fef835bfff monitored = 0 entry_point = 0x7fef8345aa8 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Region: id = 2513 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2514 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2515 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2516 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2517 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2518 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2519 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2520 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2521 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2522 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2523 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2524 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2525 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2526 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2527 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2528 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2529 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2530 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2531 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2532 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2533 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2534 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2535 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2536 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2537 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2538 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2539 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2540 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2541 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2542 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2543 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2544 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2545 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2546 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 72 os_tid = 0x494 Thread: id = 73 os_tid = 0x720 Thread: id = 74 os_tid = 0x7e0 Thread: id = 75 os_tid = 0x6f0 Thread: id = 76 os_tid = 0x700 Thread: id = 77 os_tid = 0x2a4 Thread: id = 78 os_tid = 0x6e4 Thread: id = 79 os_tid = 0x3a4 Thread: id = 175 os_tid = 0x8a8 Process: id = "6" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x43824000" os_pid = "0x224" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xae4" cmd_line = "vssadmin.exe Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1715 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1716 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1717 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1718 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1719 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1720 start_va = 0x130000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1721 start_va = 0x190000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1722 start_va = 0x830000 end_va = 0x84efff monitored = 0 entry_point = 0x841f03 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe") Region: id = 1723 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1724 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1725 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1726 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1727 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1728 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1729 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1730 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1731 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1732 start_va = 0x80000 end_va = 0xfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1733 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1734 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1735 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1736 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 1737 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 1738 start_va = 0x1d0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1739 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1740 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1741 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1742 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1743 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1744 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1745 start_va = 0x2e0000 end_va = 0x346fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1746 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1747 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1748 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1749 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1750 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1751 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1752 start_va = 0x72b90000 end_va = 0x72ba3fff monitored = 0 entry_point = 0x72b91da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 1753 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1754 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1755 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1756 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1757 start_va = 0x72b80000 end_va = 0x72b8ffff monitored = 0 entry_point = 0x72b81270 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll") Region: id = 1758 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1759 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1760 start_va = 0x72a60000 end_va = 0x72b75fff monitored = 0 entry_point = 0x72a61590 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll") Region: id = 1761 start_va = 0x350000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1762 start_va = 0x450000 end_va = 0x5d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1763 start_va = 0x100000 end_va = 0x11dfff monitored = 0 entry_point = 0x11158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1764 start_va = 0x100000 end_va = 0x11dfff monitored = 0 entry_point = 0x11158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1765 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1766 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1767 start_va = 0x5e0000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 1768 start_va = 0x850000 end_va = 0x1c4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 1769 start_va = 0x30000 end_va = 0x3cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui") Region: id = 1770 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1771 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1772 start_va = 0x3f0000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1773 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1774 start_va = 0x770000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 1775 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1776 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1777 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1778 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1779 start_va = 0x7e0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 1780 start_va = 0x1d50000 end_va = 0x1d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 1781 start_va = 0x742b0000 end_va = 0x742c6fff monitored = 0 entry_point = 0x742b3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1782 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1783 start_va = 0x350000 end_va = 0x38bfff monitored = 0 entry_point = 0x35128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1784 start_va = 0x350000 end_va = 0x38bfff monitored = 0 entry_point = 0x35128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1785 start_va = 0x350000 end_va = 0x38bfff monitored = 0 entry_point = 0x35128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1786 start_va = 0x350000 end_va = 0x38bfff monitored = 0 entry_point = 0x35128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1787 start_va = 0x350000 end_va = 0x38bfff monitored = 0 entry_point = 0x35128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1788 start_va = 0x74270000 end_va = 0x742aafff monitored = 0 entry_point = 0x7427128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1789 start_va = 0x1d90000 end_va = 0x205efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1790 start_va = 0x743e0000 end_va = 0x743edfff monitored = 0 entry_point = 0x743e1235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 1791 start_va = 0x20a0000 end_va = 0x20dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 1792 start_va = 0x2110000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 1793 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1794 start_va = 0x1c80000 end_va = 0x1cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 1795 start_va = 0x2170000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 1796 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1875 start_va = 0x21b0000 end_va = 0x226ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1880 start_va = 0x350000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1881 start_va = 0x170000 end_va = 0x177fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui") Thread: id = 83 os_tid = 0xab0 Thread: id = 84 os_tid = 0x8b0 Thread: id = 85 os_tid = 0xad4 Thread: id = 86 os_tid = 0x8b8 Thread: id = 87 os_tid = 0x8b4 Process: id = "7" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x43c54000" os_pid = "0x228" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:000617a6" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1797 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1798 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1799 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1800 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1801 start_va = 0x50000 end_va = 0x60fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vssvc.exe.mui" filename = "\\Windows\\System32\\en-US\\VSSVC.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssvc.exe.mui") Region: id = 1802 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1803 start_va = 0x80000 end_va = 0x8cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 1804 start_va = 0x90000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1805 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1806 start_va = 0x150000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1807 start_va = 0x250000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1808 start_va = 0x330000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1809 start_va = 0x340000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1810 start_va = 0x440000 end_va = 0x5c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1811 start_va = 0x5d0000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 1812 start_va = 0x760000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 1813 start_va = 0x920000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 1814 start_va = 0x9b0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 1815 start_va = 0xab0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 1816 start_va = 0xba0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 1817 start_va = 0xc20000 end_va = 0xeeefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1818 start_va = 0x1010000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 1819 start_va = 0x10c0000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 1820 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1821 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1822 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1823 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1824 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1825 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1826 start_va = 0xffd40000 end_va = 0xffecafff monitored = 0 entry_point = 0xffe70804 region_type = mapped_file name = "vssvc.exe" filename = "\\Windows\\System32\\VSSVC.exe" (normalized: "c:\\windows\\system32\\vssvc.exe") Region: id = 1827 start_va = 0x7fef1bb0000 end_va = 0x7fef1bc3fff monitored = 0 entry_point = 0x7fef1bb1324 region_type = mapped_file name = "xolehlp.dll" filename = "\\Windows\\System32\\xolehlp.dll" (normalized: "c:\\windows\\system32\\xolehlp.dll") Region: id = 1828 start_va = 0x7fef1bd0000 end_va = 0x7fef1be3fff monitored = 0 entry_point = 0x7fef1bdc210 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 1829 start_va = 0x7fef4980000 end_va = 0x7fef4989fff monitored = 0 entry_point = 0x7fef49842bc region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 1830 start_va = 0x7fef49b0000 end_va = 0x7fef49b8fff monitored = 0 entry_point = 0x7fef49b325c region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 1831 start_va = 0x7fef5470000 end_va = 0x7fef5488fff monitored = 0 entry_point = 0x7fef5471104 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1832 start_va = 0x7fef5490000 end_va = 0x7fef54dffff monitored = 0 entry_point = 0x7fef5491190 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1833 start_va = 0x7fef5b90000 end_va = 0x7fef5ba6fff monitored = 0 entry_point = 0x7fef5b91060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1834 start_va = 0x7fef5bb0000 end_va = 0x7fef5d5ffff monitored = 0 entry_point = 0x7fef5bb1010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1835 start_va = 0x7fefb320000 end_va = 0x7fefb338fff monitored = 0 entry_point = 0x7fefb3211a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1836 start_va = 0x7fefb920000 end_va = 0x7fefb933fff monitored = 0 entry_point = 0x7fefb9216b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1837 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1838 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1839 start_va = 0x7fefb970000 end_va = 0x7fefb985fff monitored = 0 entry_point = 0x7fefb9711a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1840 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1841 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1842 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1843 start_va = 0x7fefd210000 end_va = 0x7fefd23efff monitored = 0 entry_point = 0x7fefd211064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1844 start_va = 0x7fefd2c0000 end_va = 0x7fefd2d3fff monitored = 0 entry_point = 0x7fefd2c4160 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 1845 start_va = 0x7fefd540000 end_va = 0x7fefd562fff monitored = 0 entry_point = 0x7fefd541198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1846 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1847 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1848 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1849 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1850 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1851 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1852 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1853 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1854 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1855 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1856 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1857 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1858 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1859 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1860 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1861 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1862 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1863 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1864 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1865 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1866 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1867 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1868 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1869 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1870 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1871 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 1872 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 1873 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1874 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1876 start_va = 0x120000 end_va = 0x127fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 1877 start_va = 0x7fefc200000 end_va = 0x7fefc21cfff monitored = 0 entry_point = 0x7fefc201ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1878 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1879 start_va = 0x7fefb270000 end_va = 0x7fefb2d6fff monitored = 0 entry_point = 0x7fefb286060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2004 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2031 start_va = 0x7fef1800000 end_va = 0x7fef1884fff monitored = 0 entry_point = 0x7fef1802600 region_type = mapped_file name = "catsrvut.dll" filename = "\\Windows\\System32\\catsrvut.dll" (normalized: "c:\\windows\\system32\\catsrvut.dll") Region: id = 2035 start_va = 0x7fef1910000 end_va = 0x7fef191bfff monitored = 1 entry_point = 0x7fef1911070 region_type = mapped_file name = "mfcsubs.dll" filename = "\\Windows\\System32\\mfcsubs.dll" (normalized: "c:\\windows\\system32\\mfcsubs.dll") Thread: id = 88 os_tid = 0x8cc Thread: id = 89 os_tid = 0x8c8 [0099.093] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xc1d7a0 | out: lpSystemTimeAsFileTime=0xc1d7a0*(dwLowDateTime=0x52c30a20, dwHighDateTime=0x1d7fb45)) [0099.093] GetCurrentProcessId () returned 0x228 [0099.093] GetCurrentThreadId () returned 0x8c8 [0099.093] GetTickCount () returned 0xec34ca [0099.093] QueryPerformanceCounter (in: lpPerformanceCount=0xc1d7a8 | out: lpPerformanceCount=0xc1d7a8*=1564239653173) returned 1 [0099.093] malloc (_Size=0x100) returned 0x338ee0 Thread: id = 90 os_tid = 0xb60 Thread: id = 91 os_tid = 0x8bc Thread: id = 92 os_tid = 0xb58 Thread: id = 93 os_tid = 0xb5c Thread: id = 94 os_tid = 0xb54 Thread: id = 111 os_tid = 0xa60 Thread: id = 177 os_tid = 0x39c Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6d65000" os_pid = "0x3f8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e1f0" [0xc000000f], "LOCAL" [0x7] Region: id = 1882 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1883 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1884 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1885 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1886 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1887 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1888 start_va = 0xd0000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1889 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1890 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 1891 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1892 start_va = 0x180000 end_va = 0x183fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 1893 start_va = 0x190000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1894 start_va = 0x290000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1895 start_va = 0x390000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 1896 start_va = 0x460000 end_va = 0x461fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 1897 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1898 start_va = 0x480000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1899 start_va = 0x610000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 1900 start_va = 0x7a0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 1901 start_va = 0x820000 end_va = 0x821fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netprofm.dll.mui" filename = "\\Windows\\System32\\en-US\\netprofm.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofm.dll.mui") Region: id = 1902 start_va = 0x830000 end_va = 0x840fff monitored = 0 entry_point = 0x846060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1903 start_va = 0x870000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1904 start_va = 0x930000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 1905 start_va = 0x9a0000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 1906 start_va = 0xa70000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 1907 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 1908 start_va = 0xb10000 end_va = 0xddefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1909 start_va = 0xdf0000 end_va = 0xe6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 1910 start_va = 0xed0000 end_va = 0xf4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 1911 start_va = 0xf60000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 1912 start_va = 0xfe0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 1913 start_va = 0x10e0000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 1914 start_va = 0x11e0000 end_va = 0x129ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1915 start_va = 0x12e0000 end_va = 0x135ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 1916 start_va = 0x1360000 end_va = 0x13dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 1917 start_va = 0x1520000 end_va = 0x159ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 1918 start_va = 0x15b0000 end_va = 0x162ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015b0000" filename = "" Region: id = 1919 start_va = 0x1630000 end_va = 0x16affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 1920 start_va = 0x1700000 end_va = 0x177ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 1921 start_va = 0x1810000 end_va = 0x181ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001810000" filename = "" Region: id = 1922 start_va = 0x18a0000 end_va = 0x191ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 1923 start_va = 0x19a0000 end_va = 0x1a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019a0000" filename = "" Region: id = 1924 start_va = 0x1a20000 end_va = 0x1b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 1925 start_va = 0x1b20000 end_va = 0x1d1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b20000" filename = "" Region: id = 1926 start_va = 0x1d60000 end_va = 0x1ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 1927 start_va = 0x1e20000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e20000" filename = "" Region: id = 1928 start_va = 0x75500000 end_va = 0x75502fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 1929 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1930 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1931 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1932 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1933 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1934 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1935 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1936 start_va = 0x7fef4bf0000 end_va = 0x7fef4bfbfff monitored = 0 entry_point = 0x7fef4bf602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1937 start_va = 0x7fef4c00000 end_va = 0x7fef4cd7fff monitored = 0 entry_point = 0x7fef4c8a7d0 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 1938 start_va = 0x7fef4f90000 end_va = 0x7fef4f97fff monitored = 0 entry_point = 0x7fef4f91414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1939 start_va = 0x7fef5980000 end_va = 0x7fef5998fff monitored = 0 entry_point = 0x7fef5982b50 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 1940 start_va = 0x7fef59a0000 end_va = 0x7fef59affff monitored = 0 entry_point = 0x7fef59a1010 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 1941 start_va = 0x7fef59b0000 end_va = 0x7fef59c1fff monitored = 0 entry_point = 0x7fef59b1050 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 1942 start_va = 0x7fef6a50000 end_va = 0x7fef6ac3fff monitored = 0 entry_point = 0x7fef6a566f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1943 start_va = 0x7fef89f0000 end_va = 0x7fef8a6bfff monitored = 0 entry_point = 0x7fef89f11d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1944 start_va = 0x7fef9100000 end_va = 0x7fef9117fff monitored = 0 entry_point = 0x7fef9101bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1945 start_va = 0x7fef9120000 end_va = 0x7fef9130fff monitored = 0 entry_point = 0x7fef91216ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1946 start_va = 0x7fef9150000 end_va = 0x7fef91a2fff monitored = 0 entry_point = 0x7fef9152b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1947 start_va = 0x7fef9280000 end_va = 0x7fef9289fff monitored = 0 entry_point = 0x7fef92847b8 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 1948 start_va = 0x7fefb1c0000 end_va = 0x7fefb1cafff monitored = 0 entry_point = 0x7fefb1c12e0 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 1949 start_va = 0x7fefb1d0000 end_va = 0x7fefb1e8fff monitored = 0 entry_point = 0x7fefb1d177c region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 1950 start_va = 0x7fefb1f0000 end_va = 0x7fefb204fff monitored = 0 entry_point = 0x7fefb1f12a0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 1951 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1952 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1953 start_va = 0x7fefb270000 end_va = 0x7fefb2d6fff monitored = 0 entry_point = 0x7fefb286060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1954 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d4fff monitored = 0 entry_point = 0x7fefb3c60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1955 start_va = 0x7fefbc40000 end_va = 0x7fefbc57fff monitored = 0 entry_point = 0x7fefbc41130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1956 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1957 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1958 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1959 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1960 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1961 start_va = 0x7fefce60000 end_va = 0x7fefcebafff monitored = 0 entry_point = 0x7fefce66940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1962 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1963 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1964 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1965 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1966 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1967 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1968 start_va = 0x7fefd650000 end_va = 0x7fefd6e0fff monitored = 0 entry_point = 0x7fefd651440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1969 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1970 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1971 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1972 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1973 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1974 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1975 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1976 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1977 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1978 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1979 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1980 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1981 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1982 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1983 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1984 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1985 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1986 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1987 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 1988 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1989 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1990 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 1991 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1992 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1993 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1994 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1995 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1996 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1997 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1998 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1999 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2000 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2001 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2002 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2003 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2922 start_va = 0x1f10000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 2923 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Thread: id = 95 os_tid = 0x80c Thread: id = 96 os_tid = 0x7f8 Thread: id = 97 os_tid = 0x684 Thread: id = 98 os_tid = 0x368 Thread: id = 99 os_tid = 0x308 Thread: id = 100 os_tid = 0x130 Thread: id = 101 os_tid = 0x778 Thread: id = 102 os_tid = 0x768 Thread: id = 103 os_tid = 0x750 Thread: id = 104 os_tid = 0x734 Thread: id = 105 os_tid = 0x71c Thread: id = 106 os_tid = 0x16c Thread: id = 107 os_tid = 0x144 Thread: id = 108 os_tid = 0xcc Thread: id = 109 os_tid = 0x3fc Thread: id = 141 os_tid = 0x8d0 Thread: id = 174 os_tid = 0x700 Process: id = "9" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x45129000" os_pid = "0x820" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xae4" cmd_line = "wmic.exe SHADOWCOPY /nointeractive" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2005 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2006 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2007 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2008 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2009 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2010 start_va = 0xb0000 end_va = 0xeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 2011 start_va = 0x110000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2012 start_va = 0xa90000 end_va = 0xaf2fff monitored = 1 entry_point = 0xacd81a region_type = mapped_file name = "wmic.exe" filename = "\\Windows\\SysWOW64\\wbem\\WMIC.exe" (normalized: "c:\\windows\\syswow64\\wbem\\wmic.exe") Region: id = 2013 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2014 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2015 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2016 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2017 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2018 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2019 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2020 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2021 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2022 start_va = 0x1c0000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2023 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2024 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2025 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2026 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 2027 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 2028 start_va = 0x240000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 2029 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2030 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2032 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2033 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2034 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2036 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2037 start_va = 0x150000 end_va = 0x1b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2038 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2039 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2040 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2041 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2042 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2043 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2044 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2045 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2046 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2047 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2048 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2049 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2050 start_va = 0x72b30000 end_va = 0x72b64fff monitored = 0 entry_point = 0x72b4ee80 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2051 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2052 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2053 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 2054 start_va = 0x72c10000 end_va = 0x72c17fff monitored = 0 entry_point = 0x72c110e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2055 start_va = 0x74540000 end_va = 0x7455bfff monitored = 0 entry_point = 0x7454a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 2056 start_va = 0x74530000 end_va = 0x74536fff monitored = 0 entry_point = 0x7453128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 2057 start_va = 0x3b0000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 2058 start_va = 0x70000 end_va = 0x8dfff monitored = 0 entry_point = 0x8158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2059 start_va = 0x540000 end_va = 0x6c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 2060 start_va = 0x70000 end_va = 0x8dfff monitored = 0 entry_point = 0x8158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2061 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2062 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2063 start_va = 0x6d0000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 2064 start_va = 0xb00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 2065 start_va = 0x30000 end_va = 0x3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmic.exe.mui" filename = "\\Windows\\SysWOW64\\wbem\\en-US\\WMIC.exe.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmic.exe.mui") Region: id = 2066 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2067 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 2068 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 2069 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2070 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 2071 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2072 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 2073 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2074 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 2075 start_va = 0x72ba0000 end_va = 0x72baafff monitored = 0 entry_point = 0x72ba52a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2076 start_va = 0x72ac0000 end_va = 0x72b20fff monitored = 0 entry_point = 0x72afbf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\SysWOW64\\wbemcomn2.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn2.dll") Region: id = 2077 start_va = 0x75300000 end_va = 0x75316fff monitored = 0 entry_point = 0x753035fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2078 start_va = 0x1f00000 end_va = 0x21cefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2079 start_va = 0x72cb0000 end_va = 0x72de2fff monitored = 0 entry_point = 0x72cb145e region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll") Region: id = 2080 start_va = 0x860000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 2081 start_va = 0x860000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 2082 start_va = 0x9f0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 2083 start_va = 0x21d0000 end_va = 0x238ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 2084 start_va = 0x3b0000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 2085 start_va = 0x21d0000 end_va = 0x232ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 2086 start_va = 0x2350000 end_va = 0x238ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 2087 start_va = 0x2390000 end_va = 0x24dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 2088 start_va = 0x24e0000 end_va = 0x262ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 2089 start_va = 0x860000 end_va = 0x91ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2090 start_va = 0x920000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 2091 start_va = 0x2630000 end_va = 0x2a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2092 start_va = 0xf0000 end_va = 0xf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\SysWOW64\\msxml3r.dll" (normalized: "c:\\windows\\syswow64\\msxml3r.dll") Region: id = 2093 start_va = 0x240000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 2094 start_va = 0x2b0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 2095 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 2096 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 2097 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 2098 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2099 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2100 start_va = 0x21d0000 end_va = 0x22cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 2101 start_va = 0x22f0000 end_va = 0x232ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 2102 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 2103 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 2104 start_va = 0x260000 end_va = 0x260fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2105 start_va = 0x270000 end_va = 0x271fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 2106 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2107 start_va = 0x260000 end_va = 0x260fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 2108 start_va = 0x745e0000 end_va = 0x745eafff monitored = 0 entry_point = 0x745e1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2109 start_va = 0x280000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 2110 start_va = 0x290000 end_va = 0x297fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 2111 start_va = 0x2a0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 2112 start_va = 0x74560000 end_va = 0x745a3fff monitored = 0 entry_point = 0x745763f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 2113 start_va = 0x2a30000 end_va = 0x2b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 2114 start_va = 0x743f0000 end_va = 0x7446ffff monitored = 0 entry_point = 0x744037c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2115 start_va = 0x2b90000 end_va = 0x2d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 2116 start_va = 0x2390000 end_va = 0x246efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002390000" filename = "" Region: id = 2117 start_va = 0x24a0000 end_va = 0x24dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 2118 start_va = 0x24f0000 end_va = 0x252ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 2119 start_va = 0x2550000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 2120 start_va = 0x25f0000 end_va = 0x262ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 2121 start_va = 0x742b0000 end_va = 0x742c6fff monitored = 0 entry_point = 0x742b3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2122 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 2123 start_va = 0x3b0000 end_va = 0x3ebfff monitored = 0 entry_point = 0x3b128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2124 start_va = 0x410000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 2125 start_va = 0x3b0000 end_va = 0x3ebfff monitored = 0 entry_point = 0x3b128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2126 start_va = 0x3b0000 end_va = 0x3ebfff monitored = 0 entry_point = 0x3b128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2127 start_va = 0x3b0000 end_va = 0x3ebfff monitored = 0 entry_point = 0x3b128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2128 start_va = 0x3b0000 end_va = 0x3ebfff monitored = 0 entry_point = 0x3b128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2129 start_va = 0x74270000 end_va = 0x742aafff monitored = 0 entry_point = 0x7427128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2130 start_va = 0x743e0000 end_va = 0x743edfff monitored = 0 entry_point = 0x743e1235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 2131 start_va = 0x3d0000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2132 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 2133 start_va = 0xa30000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 2134 start_va = 0x2ac0000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 2135 start_va = 0x2b50000 end_va = 0x2b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 2136 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 2137 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 2138 start_va = 0x72b90000 end_va = 0x72b9efff monitored = 0 entry_point = 0x72b993d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2139 start_va = 0x72a10000 end_va = 0x72ab5fff monitored = 0 entry_point = 0x72a7a2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2140 start_va = 0x72b70000 end_va = 0x72b87fff monitored = 0 entry_point = 0x72b71335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 2141 start_va = 0x3b0000 end_va = 0x3bcfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Thread: id = 110 os_tid = 0x9c4 [0099.355] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xef9fc | out: lpSystemTimeAsFileTime=0xef9fc*(dwLowDateTime=0x52eb8180, dwHighDateTime=0x1d7fb45)) [0099.355] GetCurrentProcessId () returned 0x820 [0099.356] GetCurrentThreadId () returned 0x9c4 [0099.356] GetTickCount () returned 0xec35d3 [0099.356] QueryPerformanceCounter (in: lpPerformanceCount=0xef9f4 | out: lpPerformanceCount=0xef9f4*=1564265917691) returned 1 [0099.356] GetModuleHandleA (lpModuleName=0x0) returned 0xa90000 [0099.356] __set_app_type (_Type=0x1) [0099.356] __p__fmode () returned 0x76d631f4 [0099.356] __p__commode () returned 0x76d631fc [0099.356] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xacdc15) returned 0x0 [0099.357] __wgetmainargs (in: _Argc=0xadc5e8, _Argv=0xadc5f0, _Env=0xadc5ec, _DoWildCard=0, _StartInfo=0xadc5fc | out: _Argc=0xadc5e8, _Argv=0xadc5f0, _Env=0xadc5ec) returned 0 [0099.357] ??0CHString@@QAE@XZ () returned 0xadc28c [0099.358] malloc (_Size=0x18) returned 0x5313b8 [0099.358] malloc (_Size=0x38) returned 0x533d68 [0099.358] malloc (_Size=0x28) returned 0x5313d8 [0099.358] malloc (_Size=0x18) returned 0x533da8 [0099.358] malloc (_Size=0x24) returned 0x533dc8 [0099.358] malloc (_Size=0x18) returned 0x533df8 [0099.358] malloc (_Size=0x18) returned 0x533e18 [0099.358] ??0CHString@@QAE@XZ () returned 0xadc594 [0099.358] malloc (_Size=0x18) returned 0x533e38 [0099.358] ?Empty@CHString@@QAEXXZ () returned 0x72b5d81c [0099.358] SetConsoleCtrlHandler (HandlerRoutine=0xac6b6f, Add=1) returned 1 [0099.358] _onexit (_Func=0xad2f1f) returned 0xad2f1f [0099.359] _onexit (_Func=0xad2f2e) returned 0xad2f2e [0099.359] _onexit (_Func=0xad2f42) returned 0xad2f42 [0099.359] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.359] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0099.360] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0099.445] CoCreateInstance (in: rclsid=0xa96c60*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa96b90*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xadc1b0 | out: ppv=0xadc1b0*=0x2d0b20) returned 0x0 [0099.459] GetCurrentProcess () returned 0xffffffff [0099.459] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xef8a4 | out: TokenHandle=0xef8a4*=0x11c) returned 1 [0099.460] GetTokenInformation (in: TokenHandle=0x11c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xef8a0 | out: TokenInformation=0x0, ReturnLength=0xef8a0) returned 0 [0099.460] malloc (_Size=0x118) returned 0x532728 [0099.460] GetTokenInformation (in: TokenHandle=0x11c, TokenInformationClass=0x3, TokenInformation=0x532728, TokenInformationLength=0x118, ReturnLength=0xef8a0 | out: TokenInformation=0x532728, ReturnLength=0xef8a0) returned 1 [0099.460] AdjustTokenPrivileges (in: TokenHandle=0x11c, DisableAllPrivileges=0, NewState=0x532728*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0099.460] free (_Block=0x532728) [0099.460] CloseHandle (hObject=0x11c) returned 1 [0099.460] malloc (_Size=0x40) returned 0x533f68 [0099.460] malloc (_Size=0x40) returned 0x532728 [0099.461] malloc (_Size=0x40) returned 0x532770 [0099.461] malloc (_Size=0x20a) returned 0x5327b8 [0099.461] GetSystemDirectoryW (in: lpBuffer=0x5327b8, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0099.461] free (_Block=0x5327b8) [0099.461] malloc (_Size=0xc) returned 0x533fb0 [0099.461] malloc (_Size=0xc) returned 0x533fc8 [0099.461] malloc (_Size=0xc) returned 0x5327b8 [0099.461] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0099.461] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0099.461] free (_Block=0x533fb0) [0099.462] free (_Block=0x533fc8) [0099.462] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x769b0000 [0099.462] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadUILanguage") returned 0x769da827 [0099.462] SetThreadUILanguage (LangId=0x0) returned 0x409 [0099.463] FreeLibrary (hLibModule=0x769b0000) returned 1 [0099.463] free (_Block=0x5327b8) [0099.463] _vsnwprintf (in: _Buffer=0x532770, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xef800 | out: _Buffer="ms_409") returned 6 [0099.463] malloc (_Size=0x20) returned 0x533fb0 [0099.463] GetComputerNameW (in: lpBuffer=0x533fb0, nSize=0xef858 | out: lpBuffer="Q9IATRKPRH", nSize=0xef858) returned 1 [0099.463] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.463] malloc (_Size=0x16) returned 0x5327b8 [0099.463] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.463] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xef894 | out: lpNameBuffer=0x0, nSize=0xef894) returned 0x0 [0099.465] GetLastError () returned 0xea [0099.465] malloc (_Size=0x2c) returned 0x5327d8 [0099.465] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x5327d8, nSize=0xef894 | out: lpNameBuffer="Q9IATRKPRH\\kEecfMwgj", nSize=0xef894) returned 0x1 [0099.465] lstrlenW (lpString="") returned 0 [0099.465] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.465] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="", cchCount2=0) returned 3 [0099.469] lstrlenW (lpString=".") returned 1 [0099.469] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2=".", cchCount2=1) returned 3 [0099.469] lstrlenW (lpString="LOCALHOST") returned 9 [0099.469] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="LOCALHOST", cchCount2=9) returned 3 [0099.469] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.469] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="Q9IATRKPRH", cchCount2=10) returned 2 [0099.469] free (_Block=0x5327b8) [0099.469] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.469] malloc (_Size=0x16) returned 0x5327b8 [0099.469] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.469] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.469] malloc (_Size=0x16) returned 0x532810 [0099.469] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0099.469] malloc (_Size=0x4) returned 0x533fd8 [0099.469] malloc (_Size=0xc) returned 0x532830 [0099.469] malloc (_Size=0x18) returned 0x532848 [0099.469] malloc (_Size=0xc) returned 0x532868 [0099.469] SysStringLen (param_1="IDENTIFY") returned 0x8 [0099.469] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0099.469] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0099.469] SysStringLen (param_1="IDENTIFY") returned 0x8 [0099.469] malloc (_Size=0x18) returned 0x532880 [0099.470] malloc (_Size=0xc) returned 0x5328a0 [0099.470] SysStringLen (param_1="IMPERSONATE") returned 0xb [0099.470] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0099.470] SysStringLen (param_1="IMPERSONATE") returned 0xb [0099.470] SysStringLen (param_1="IDENTIFY") returned 0x8 [0099.470] SysStringLen (param_1="IDENTIFY") returned 0x8 [0099.470] SysStringLen (param_1="IMPERSONATE") returned 0xb [0099.470] malloc (_Size=0x18) returned 0x5328b8 [0099.470] malloc (_Size=0xc) returned 0x5328d8 [0099.470] SysStringLen (param_1="DELEGATE") returned 0x8 [0099.470] SysStringLen (param_1="IDENTIFY") returned 0x8 [0099.470] SysStringLen (param_1="DELEGATE") returned 0x8 [0099.470] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0099.470] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0099.470] SysStringLen (param_1="DELEGATE") returned 0x8 [0099.470] malloc (_Size=0x18) returned 0x5328f0 [0099.470] malloc (_Size=0xc) returned 0x532910 [0099.470] malloc (_Size=0x18) returned 0x532928 [0099.470] malloc (_Size=0xc) returned 0x532948 [0099.470] SysStringLen (param_1="NONE") returned 0x4 [0099.470] SysStringLen (param_1="DEFAULT") returned 0x7 [0099.471] SysStringLen (param_1="DEFAULT") returned 0x7 [0099.471] SysStringLen (param_1="NONE") returned 0x4 [0099.471] malloc (_Size=0x18) returned 0x532960 [0099.471] malloc (_Size=0xc) returned 0x532980 [0099.471] SysStringLen (param_1="CONNECT") returned 0x7 [0099.471] SysStringLen (param_1="DEFAULT") returned 0x7 [0099.471] malloc (_Size=0x18) returned 0x532998 [0099.471] malloc (_Size=0xc) returned 0x5329b8 [0099.472] SysStringLen (param_1="CALL") returned 0x4 [0099.472] SysStringLen (param_1="DEFAULT") returned 0x7 [0099.472] SysStringLen (param_1="CALL") returned 0x4 [0099.472] SysStringLen (param_1="CONNECT") returned 0x7 [0099.472] malloc (_Size=0x18) returned 0x5329d0 [0099.472] malloc (_Size=0xc) returned 0x5329f0 [0099.472] SysStringLen (param_1="PKT") returned 0x3 [0099.472] SysStringLen (param_1="DEFAULT") returned 0x7 [0099.472] SysStringLen (param_1="PKT") returned 0x3 [0099.472] SysStringLen (param_1="NONE") returned 0x4 [0099.472] SysStringLen (param_1="NONE") returned 0x4 [0099.472] SysStringLen (param_1="PKT") returned 0x3 [0099.472] malloc (_Size=0x18) returned 0x53e868 [0099.472] malloc (_Size=0xc) returned 0x532e08 [0099.472] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0099.472] SysStringLen (param_1="DEFAULT") returned 0x7 [0099.472] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0099.473] SysStringLen (param_1="NONE") returned 0x4 [0099.473] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0099.473] SysStringLen (param_1="PKT") returned 0x3 [0099.473] SysStringLen (param_1="PKT") returned 0x3 [0099.473] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0099.473] malloc (_Size=0x18) returned 0x53e888 [0099.473] malloc (_Size=0xc) returned 0x532e20 [0099.473] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0099.473] SysStringLen (param_1="DEFAULT") returned 0x7 [0099.473] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0099.473] SysStringLen (param_1="PKT") returned 0x3 [0099.473] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0099.473] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0099.473] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0099.473] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0099.473] malloc (_Size=0x18) returned 0x53e8a8 [0099.473] malloc (_Size=0x40) returned 0x532e38 [0099.473] malloc (_Size=0x20a) returned 0x532e80 [0099.473] GetSystemDirectoryW (in: lpBuffer=0x532e80, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0099.474] free (_Block=0x532e80) [0099.474] malloc (_Size=0xc) returned 0x532e80 [0099.474] malloc (_Size=0xc) returned 0x532e98 [0099.474] malloc (_Size=0xc) returned 0x532eb0 [0099.474] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0099.474] SysStringLen (param_1="\\wbem\\") returned 0x6 [0099.474] free (_Block=0x532e80) [0099.474] free (_Block=0x532e98) [0099.474] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0099.474] free (_Block=0x532eb0) [0099.474] malloc (_Size=0xc) returned 0x532e80 [0099.474] malloc (_Size=0xc) returned 0x532e98 [0099.474] malloc (_Size=0xc) returned 0x532eb0 [0099.474] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0099.474] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0099.474] free (_Block=0x532e80) [0099.475] free (_Block=0x532e98) [0099.475] GetCurrentThreadId () returned 0x9c4 [0099.475] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xef3b0 | out: phkResult=0xef3b0*=0x120) returned 0x0 [0099.475] RegQueryValueExW (in: hKey=0x120, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xef3bc, lpcbData=0xef3b8*=0x400 | out: lpType=0x0, lpData=0xef3bc*=0x30, lpcbData=0xef3b8*=0x4) returned 0x0 [0099.475] _wcsicmp (_String1="0", _String2="1") returned -1 [0099.475] _wcsicmp (_String1="0", _String2="2") returned -2 [0099.475] RegQueryValueExW (in: hKey=0x120, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xef3b8*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xef3b8*=0x42) returned 0x0 [0099.475] malloc (_Size=0x86) returned 0x532ec8 [0099.475] RegQueryValueExW (in: hKey=0x120, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x532ec8, lpcbData=0xef3b8*=0x42 | out: lpType=0x0, lpData=0x532ec8*=0x25, lpcbData=0xef3b8*=0x42) returned 0x0 [0099.475] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0099.475] malloc (_Size=0x42) returned 0x532f58 [0099.475] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0099.475] RegQueryValueExW (in: hKey=0x120, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xef3bc, lpcbData=0xef3b8*=0x400 | out: lpType=0x0, lpData=0xef3bc*=0x36, lpcbData=0xef3b8*=0xc) returned 0x0 [0099.475] _wtol (_String="65536") returned 65536 [0099.476] free (_Block=0x532ec8) [0099.476] RegCloseKey (hKey=0x0) returned 0x6 [0099.476] CoCreateInstance (in: rclsid=0xa96d40*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa96d20*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xef84c | out: ppv=0xef84c*=0x9f4630) returned 0x0 [0099.494] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x9f4630, xmlSource=0xef7d0*(varType=0x8, wReserved1=0xffff, wReserved2=0x387a, wReserved3=0x77a1, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0xef834 | out: isSuccessful=0xef834*=0xffff) returned 0x0 [0099.643] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x9f4630, DOMElement=0xef848 | out: DOMElement=0xef848*=0x9f8c58) returned 0x0 [0099.643] malloc (_Size=0xc) returned 0x532e80 [0099.644] IXMLDOMElement:getElementsByTagName (in: This=0x9f8c58, tagName="XSLFORMAT", resultList=0xef844 | out: resultList=0xef844*=0x9f8e80) returned 0x0 [0099.644] free (_Block=0x532e80) [0099.644] IXMLDOMNodeList:get_length (in: This=0x9f8e80, listLength=0xef82c | out: listLength=0xef82c*=21) returned 0x0 [0099.644] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=0, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.644] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="texttable.xsl") returned 0x0 [0099.645] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.645] malloc (_Size=0xc) returned 0x532e80 [0099.645] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.645] free (_Block=0x532e80) [0099.645] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0099.645] malloc (_Size=0xc) returned 0x532e80 [0099.645] malloc (_Size=0xc) returned 0x532e98 [0099.645] malloc (_Size=0x18) returned 0x53e8c8 [0099.645] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.645] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.645] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.646] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=1, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.646] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="textvaluelist.xsl") returned 0x0 [0099.646] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.646] malloc (_Size=0xc) returned 0x533140 [0099.646] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.646] free (_Block=0x533140) [0099.646] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0099.646] malloc (_Size=0xc) returned 0x533140 [0099.646] malloc (_Size=0xc) returned 0x533158 [0099.646] SysStringLen (param_1="VALUE") returned 0x5 [0099.646] SysStringLen (param_1="TABLE") returned 0x5 [0099.646] SysStringLen (param_1="TABLE") returned 0x5 [0099.646] SysStringLen (param_1="VALUE") returned 0x5 [0099.646] malloc (_Size=0x18) returned 0x53e8e8 [0099.646] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.647] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.647] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.647] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=2, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.647] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="textvaluelist.xsl") returned 0x0 [0099.647] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.647] malloc (_Size=0xc) returned 0x53f248 [0099.647] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.647] free (_Block=0x53f248) [0099.647] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="LIST", varVal2=0x0)) returned 0x0 [0099.647] malloc (_Size=0xc) returned 0x53f248 [0099.647] malloc (_Size=0xc) returned 0x53f260 [0099.647] SysStringLen (param_1="LIST") returned 0x4 [0099.647] SysStringLen (param_1="TABLE") returned 0x5 [0099.647] malloc (_Size=0x18) returned 0x53e908 [0099.648] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.648] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.648] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.648] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=3, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.648] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="rawxml.xsl") returned 0x0 [0099.648] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.648] malloc (_Size=0xc) returned 0x53f278 [0099.648] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.648] free (_Block=0x53f278) [0099.648] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0099.648] malloc (_Size=0xc) returned 0x53f278 [0099.648] malloc (_Size=0xc) returned 0x53f290 [0099.648] SysStringLen (param_1="RAWXML") returned 0x6 [0099.648] SysStringLen (param_1="TABLE") returned 0x5 [0099.648] SysStringLen (param_1="RAWXML") returned 0x6 [0099.648] SysStringLen (param_1="LIST") returned 0x4 [0099.648] SysStringLen (param_1="LIST") returned 0x4 [0099.648] SysStringLen (param_1="RAWXML") returned 0x6 [0099.648] malloc (_Size=0x18) returned 0x53e928 [0099.649] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.649] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.649] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.649] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=4, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.649] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="htable.xsl") returned 0x0 [0099.649] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.649] malloc (_Size=0xc) returned 0x53f2a8 [0099.649] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.649] free (_Block=0x53f2a8) [0099.649] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0099.649] malloc (_Size=0xc) returned 0x53f2a8 [0099.649] malloc (_Size=0xc) returned 0x53f2c0 [0099.649] SysStringLen (param_1="HTABLE") returned 0x6 [0099.649] SysStringLen (param_1="TABLE") returned 0x5 [0099.649] SysStringLen (param_1="HTABLE") returned 0x6 [0099.649] SysStringLen (param_1="LIST") returned 0x4 [0099.649] malloc (_Size=0x18) returned 0x53e948 [0099.650] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.650] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.650] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.650] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=5, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.650] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="hform.xsl") returned 0x0 [0099.650] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.650] malloc (_Size=0xc) returned 0x53f2d8 [0099.650] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.650] free (_Block=0x53f2d8) [0099.650] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0099.650] malloc (_Size=0xc) returned 0x53f2d8 [0099.650] malloc (_Size=0xc) returned 0x53f2f0 [0099.650] SysStringLen (param_1="HFORM") returned 0x5 [0099.650] SysStringLen (param_1="TABLE") returned 0x5 [0099.650] SysStringLen (param_1="HFORM") returned 0x5 [0099.650] SysStringLen (param_1="LIST") returned 0x4 [0099.650] SysStringLen (param_1="HFORM") returned 0x5 [0099.651] SysStringLen (param_1="HTABLE") returned 0x6 [0099.651] malloc (_Size=0x18) returned 0x53e968 [0099.651] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.651] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.651] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.651] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=6, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.651] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="xml.xsl") returned 0x0 [0099.651] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.651] malloc (_Size=0xc) returned 0x53f308 [0099.651] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.651] free (_Block=0x53f308) [0099.651] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="XML", varVal2=0x0)) returned 0x0 [0099.651] malloc (_Size=0xc) returned 0x53f308 [0099.651] malloc (_Size=0xc) returned 0x53f320 [0099.652] SysStringLen (param_1="XML") returned 0x3 [0099.652] SysStringLen (param_1="TABLE") returned 0x5 [0099.652] SysStringLen (param_1="XML") returned 0x3 [0099.652] SysStringLen (param_1="VALUE") returned 0x5 [0099.652] SysStringLen (param_1="VALUE") returned 0x5 [0099.652] SysStringLen (param_1="XML") returned 0x3 [0099.652] malloc (_Size=0x18) returned 0x53e988 [0099.652] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.652] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.652] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.652] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=7, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.652] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="mof.xsl") returned 0x0 [0099.652] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.652] malloc (_Size=0xc) returned 0x53f338 [0099.652] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.652] free (_Block=0x53f338) [0099.653] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="MOF", varVal2=0x0)) returned 0x0 [0099.653] malloc (_Size=0xc) returned 0x53f338 [0099.653] malloc (_Size=0xc) returned 0x53f350 [0099.653] SysStringLen (param_1="MOF") returned 0x3 [0099.653] SysStringLen (param_1="TABLE") returned 0x5 [0099.653] SysStringLen (param_1="MOF") returned 0x3 [0099.653] SysStringLen (param_1="LIST") returned 0x4 [0099.653] SysStringLen (param_1="MOF") returned 0x3 [0099.653] SysStringLen (param_1="RAWXML") returned 0x6 [0099.653] SysStringLen (param_1="LIST") returned 0x4 [0099.653] SysStringLen (param_1="MOF") returned 0x3 [0099.653] malloc (_Size=0x18) returned 0x53e9a8 [0099.653] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.653] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.653] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.653] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=8, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.653] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="csv.xsl") returned 0x0 [0099.653] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.653] malloc (_Size=0xc) returned 0x53f368 [0099.654] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.654] free (_Block=0x53f368) [0099.654] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="CSV", varVal2=0x0)) returned 0x0 [0099.654] malloc (_Size=0xc) returned 0x53f368 [0099.654] malloc (_Size=0xc) returned 0x53f380 [0099.654] SysStringLen (param_1="CSV") returned 0x3 [0099.654] SysStringLen (param_1="TABLE") returned 0x5 [0099.654] SysStringLen (param_1="CSV") returned 0x3 [0099.654] SysStringLen (param_1="LIST") returned 0x4 [0099.654] SysStringLen (param_1="CSV") returned 0x3 [0099.654] SysStringLen (param_1="HTABLE") returned 0x6 [0099.654] SysStringLen (param_1="CSV") returned 0x3 [0099.654] SysStringLen (param_1="HFORM") returned 0x5 [0099.654] malloc (_Size=0x18) returned 0x53e9c8 [0099.654] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.654] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.654] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.654] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=9, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.655] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="texttable.xsl") returned 0x0 [0099.655] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.655] malloc (_Size=0xc) returned 0x53f398 [0099.655] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.655] free (_Block=0x53f398) [0099.655] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0099.655] malloc (_Size=0xc) returned 0x53f398 [0099.655] malloc (_Size=0xc) returned 0x53f3b0 [0099.655] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.655] SysStringLen (param_1="TABLE") returned 0x5 [0099.655] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.655] SysStringLen (param_1="VALUE") returned 0x5 [0099.655] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.655] SysStringLen (param_1="XML") returned 0x3 [0099.655] SysStringLen (param_1="XML") returned 0x3 [0099.655] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.655] malloc (_Size=0x18) returned 0x53e9e8 [0099.656] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.656] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.656] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.656] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=10, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.656] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="texttable.xsl") returned 0x0 [0099.656] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.656] malloc (_Size=0xc) returned 0x53f3c8 [0099.656] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.656] free (_Block=0x53f3c8) [0099.656] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0099.656] malloc (_Size=0xc) returned 0x53f3c8 [0099.656] malloc (_Size=0xc) returned 0x53f3e0 [0099.656] SysStringLen (param_1="texttablewsys") returned 0xd [0099.656] SysStringLen (param_1="TABLE") returned 0x5 [0099.656] SysStringLen (param_1="texttablewsys") returned 0xd [0099.656] SysStringLen (param_1="XML") returned 0x3 [0099.656] SysStringLen (param_1="texttablewsys") returned 0xd [0099.656] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.656] SysStringLen (param_1="XML") returned 0x3 [0099.656] SysStringLen (param_1="texttablewsys") returned 0xd [0099.657] malloc (_Size=0x18) returned 0x53ea08 [0099.657] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.657] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.657] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.657] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=11, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.657] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="texttable.xsl") returned 0x0 [0099.657] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.657] malloc (_Size=0xc) returned 0x53f3f8 [0099.657] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.657] free (_Block=0x53f3f8) [0099.657] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0099.657] malloc (_Size=0xc) returned 0x53f3f8 [0099.657] malloc (_Size=0xc) returned 0x53f410 [0099.658] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.658] SysStringLen (param_1="TABLE") returned 0x5 [0099.658] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.658] SysStringLen (param_1="XML") returned 0x3 [0099.658] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.658] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.658] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.658] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.658] malloc (_Size=0x18) returned 0x53ea28 [0099.658] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.658] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.658] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.658] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=12, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.658] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="texttable.xsl") returned 0x0 [0099.658] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.658] malloc (_Size=0xc) returned 0x53f428 [0099.658] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.659] free (_Block=0x53f428) [0099.659] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0099.659] malloc (_Size=0xc) returned 0x53f428 [0099.659] malloc (_Size=0xc) returned 0x53f440 [0099.659] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0099.659] SysStringLen (param_1="TABLE") returned 0x5 [0099.659] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0099.659] SysStringLen (param_1="XML") returned 0x3 [0099.659] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0099.659] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.659] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0099.659] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.659] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.659] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0099.659] malloc (_Size=0x18) returned 0x53ea48 [0099.659] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.659] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.659] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.659] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=13, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.660] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="texttable.xsl") returned 0x0 [0099.660] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.660] malloc (_Size=0xc) returned 0x53f458 [0099.660] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.660] free (_Block=0x53f458) [0099.660] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0099.660] malloc (_Size=0xc) returned 0x53f458 [0099.660] malloc (_Size=0xc) returned 0x53f470 [0099.660] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.660] SysStringLen (param_1="TABLE") returned 0x5 [0099.660] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.660] SysStringLen (param_1="XML") returned 0x3 [0099.660] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.660] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.660] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.660] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.660] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.660] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.660] malloc (_Size=0x18) returned 0x53ea68 [0099.661] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.661] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.661] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.661] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=14, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.661] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="texttable.xsl") returned 0x0 [0099.661] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.661] malloc (_Size=0xc) returned 0x53f488 [0099.661] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.661] free (_Block=0x53f488) [0099.661] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0099.661] malloc (_Size=0xc) returned 0x53f488 [0099.661] malloc (_Size=0xc) returned 0x53f4a0 [0099.661] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0099.661] SysStringLen (param_1="TABLE") returned 0x5 [0099.661] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0099.661] SysStringLen (param_1="XML") returned 0x3 [0099.661] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0099.662] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.662] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0099.662] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.662] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0099.662] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.662] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.662] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0099.662] malloc (_Size=0x18) returned 0x53ea88 [0099.662] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.662] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.662] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.662] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=15, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.662] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="htable.xsl") returned 0x0 [0099.662] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.662] malloc (_Size=0xc) returned 0x53f4b8 [0099.662] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.662] free (_Block=0x53f4b8) [0099.663] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0099.663] malloc (_Size=0xc) returned 0x53f4b8 [0099.663] malloc (_Size=0xc) returned 0x53f4d0 [0099.663] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0099.663] SysStringLen (param_1="TABLE") returned 0x5 [0099.663] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0099.663] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.663] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0099.663] SysStringLen (param_1="XML") returned 0x3 [0099.663] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0099.663] SysStringLen (param_1="texttablewsys") returned 0xd [0099.663] SysStringLen (param_1="XML") returned 0x3 [0099.663] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0099.663] malloc (_Size=0x18) returned 0x53eaa8 [0099.663] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.663] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.663] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.663] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=16, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.663] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="htable.xsl") returned 0x0 [0099.663] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.664] malloc (_Size=0xc) returned 0x53f4e8 [0099.664] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.664] free (_Block=0x53f4e8) [0099.664] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0099.664] malloc (_Size=0xc) returned 0x53f4e8 [0099.664] malloc (_Size=0xc) returned 0x53f500 [0099.664] SysStringLen (param_1="htable-sortby") returned 0xd [0099.664] SysStringLen (param_1="TABLE") returned 0x5 [0099.664] SysStringLen (param_1="htable-sortby") returned 0xd [0099.664] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.664] SysStringLen (param_1="htable-sortby") returned 0xd [0099.664] SysStringLen (param_1="XML") returned 0x3 [0099.664] SysStringLen (param_1="htable-sortby") returned 0xd [0099.664] SysStringLen (param_1="texttablewsys") returned 0xd [0099.664] SysStringLen (param_1="htable-sortby") returned 0xd [0099.664] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0099.664] SysStringLen (param_1="XML") returned 0x3 [0099.664] SysStringLen (param_1="htable-sortby") returned 0xd [0099.664] malloc (_Size=0x18) returned 0x53eac8 [0099.665] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.665] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.665] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.665] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=17, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.665] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="mof.xsl") returned 0x0 [0099.665] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.665] malloc (_Size=0xc) returned 0x53f518 [0099.665] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.665] free (_Block=0x53f518) [0099.665] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0099.665] malloc (_Size=0xc) returned 0x53f518 [0099.665] malloc (_Size=0xc) returned 0x53f530 [0099.665] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0099.665] SysStringLen (param_1="TABLE") returned 0x5 [0099.665] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0099.665] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.665] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0099.665] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.665] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0099.665] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0099.666] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.666] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0099.666] malloc (_Size=0x18) returned 0x53eae8 [0099.666] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.666] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.666] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.666] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=18, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.666] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="mof.xsl") returned 0x0 [0099.666] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.666] malloc (_Size=0xc) returned 0x53f548 [0099.666] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.666] free (_Block=0x53f548) [0099.666] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0099.666] malloc (_Size=0xc) returned 0x53f548 [0099.666] malloc (_Size=0xc) returned 0x53f560 [0099.667] SysStringLen (param_1="wmiclimofformat") returned 0xf [0099.667] SysStringLen (param_1="TABLE") returned 0x5 [0099.667] SysStringLen (param_1="wmiclimofformat") returned 0xf [0099.667] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.667] SysStringLen (param_1="wmiclimofformat") returned 0xf [0099.667] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.667] SysStringLen (param_1="wmiclimofformat") returned 0xf [0099.667] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0099.667] SysStringLen (param_1="wmiclimofformat") returned 0xf [0099.667] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0099.667] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.667] SysStringLen (param_1="wmiclimofformat") returned 0xf [0099.667] malloc (_Size=0x18) returned 0x53eb08 [0099.668] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.668] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.668] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.668] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=19, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.668] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="textvaluelist.xsl") returned 0x0 [0099.668] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.668] malloc (_Size=0xc) returned 0x53f578 [0099.668] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.668] free (_Block=0x53f578) [0099.668] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0099.668] malloc (_Size=0xc) returned 0x53f578 [0099.668] malloc (_Size=0xc) returned 0x53f590 [0099.668] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0099.668] SysStringLen (param_1="TABLE") returned 0x5 [0099.668] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0099.668] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.668] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0099.668] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.668] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0099.668] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.668] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.668] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0099.669] malloc (_Size=0x18) returned 0x53eb28 [0099.669] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.669] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.669] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.669] IXMLDOMNodeList:get_item (in: This=0x9f8e80, index=20, listItem=0xef860 | out: listItem=0xef860*=0x9f4b20) returned 0x0 [0099.669] IXMLDOMNode:get_text (in: This=0x9f4b20, text=0xef868 | out: text=0xef868*="textvaluelist.xsl") returned 0x0 [0099.669] IXMLDOMNode:get_attributes (in: This=0x9f4b20, attributeMap=0xef85c | out: attributeMap=0xef85c*=0x9f8cf8) returned 0x0 [0099.669] malloc (_Size=0xc) returned 0x53f5a8 [0099.669] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x9f8cf8, name="KEYWORD", namedItem=0xef858 | out: namedItem=0xef858*=0x9f8c98) returned 0x0 [0099.669] free (_Block=0x53f5a8) [0099.669] IXMLDOMNode:get_nodeValue (in: This=0x9f8c98, value=0xef804 | out: value=0xef804*(varType=0x8, wReserved1=0x53, wReserved2=0x2e98, wReserved3=0x53, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0099.669] malloc (_Size=0xc) returned 0x53f5a8 [0099.669] malloc (_Size=0xc) returned 0x53f5c0 [0099.669] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0099.669] SysStringLen (param_1="TABLE") returned 0x5 [0099.670] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0099.670] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0099.670] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0099.670] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0099.670] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0099.670] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.670] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0099.670] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0099.670] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0099.670] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0099.670] malloc (_Size=0x18) returned 0x53eb48 [0099.670] IUnknown:Release (This=0x9f4b20) returned 0x0 [0099.670] IUnknown:Release (This=0x9f8cf8) returned 0x0 [0099.670] IUnknown:Release (This=0x9f8c98) returned 0x0 [0099.670] IUnknown:Release (This=0x9f8e80) returned 0x0 [0099.670] FreeThreadedDOMDocument:IUnknown:Release (This=0x9f8c58) returned 0x1 [0099.670] FreeThreadedDOMDocument:IUnknown:Release (This=0x9f4630) returned 0x0 [0099.670] free (_Block=0x532eb0) [0099.670] GetCommandLineW () returned="wmic.exe SHADOWCOPY /nointeractive" [0099.670] malloc (_Size=0x50) returned 0x53f630 [0099.670] memcpy_s (in: _Destination=0x53f630, _DestinationSize=0x4e, _Source=0x2b19a6, _SourceSize=0x44 | out: _Destination=0x53f630) returned 0x0 [0099.670] malloc (_Size=0xc) returned 0x53f5d8 [0099.671] malloc (_Size=0xc) returned 0x53f5f0 [0099.671] malloc (_Size=0xc) returned 0x53f608 [0099.671] malloc (_Size=0xc) returned 0x53f6a0 [0099.671] malloc (_Size=0x80) returned 0x21d0390 [0099.671] GetLocalTime (in: lpSystemTime=0xef810 | out: lpSystemTime=0xef810*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x12, wMinute=0xf, wSecond=0x13, wMilliseconds=0x278)) [0099.671] _vsnwprintf (in: _Buffer=0x21d0390, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xef7f0 | out: _Buffer="12-27-2021T18:15:19") returned 19 [0099.671] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0099.671] malloc (_Size=0x36) returned 0x533170 [0099.671] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0099.671] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0099.671] malloc (_Size=0x36) returned 0x53fa88 [0099.671] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0099.671] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0099.671] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0099.671] malloc (_Size=0x16) returned 0x53eb68 [0099.671] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.671] _wcsicmp (_String1="SHADOWCOPY", _String2="\"NULL\"") returned 81 [0099.671] malloc (_Size=0x16) returned 0x53eb88 [0099.671] malloc (_Size=0x4) returned 0x532eb0 [0099.671] free (_Block=0x0) [0099.671] free (_Block=0x53eb68) [0099.671] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0099.671] malloc (_Size=0x4) returned 0x53fac8 [0099.671] lstrlenW (lpString="/") returned 1 [0099.671] malloc (_Size=0x4) returned 0x53fad8 [0099.671] malloc (_Size=0x8) returned 0x53fae8 [0099.671] memmove_s (in: _Destination=0x53fae8, _DestinationSize=0x4, _Source=0x532eb0, _SourceSize=0x4 | out: _Destination=0x53fae8) returned 0x0 [0099.671] free (_Block=0x532eb0) [0099.671] free (_Block=0x0) [0099.671] free (_Block=0x53fac8) [0099.671] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0099.672] malloc (_Size=0x1c) returned 0x53faf8 [0099.672] lstrlenW (lpString="nointeractive") returned 13 [0099.672] _wcsicmp (_String1="nointeractive", _String2="\"NULL\"") returned 76 [0099.672] malloc (_Size=0x1c) returned 0x53fb20 [0099.672] malloc (_Size=0xc) returned 0x53f6b8 [0099.672] memmove_s (in: _Destination=0x53f6b8, _DestinationSize=0x8, _Source=0x53fae8, _SourceSize=0x8 | out: _Destination=0x53f6b8) returned 0x0 [0099.672] free (_Block=0x53fae8) [0099.672] free (_Block=0x0) [0099.672] free (_Block=0x53faf8) [0099.672] malloc (_Size=0xc) returned 0x53f6d0 [0099.672] lstrlenW (lpString="QUIT") returned 4 [0099.672] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0099.672] lstrlenW (lpString="EXIT") returned 4 [0099.672] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0099.672] free (_Block=0x53f6d0) [0099.672] WbemLocator:IUnknown:AddRef (This=0x2d0b20) returned 0x2 [0099.672] malloc (_Size=0xc) returned 0x53f6d0 [0099.672] lstrlenW (lpString="/") returned 1 [0099.672] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0099.672] lstrlenW (lpString="-") returned 1 [0099.672] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0099.672] lstrlenW (lpString="CLASS") returned 5 [0099.672] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0099.672] lstrlenW (lpString="PATH") returned 4 [0099.672] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0099.672] lstrlenW (lpString="CONTEXT") returned 7 [0099.672] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0099.673] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.673] malloc (_Size=0x16) returned 0x53eb68 [0099.673] lstrlenW (lpString="SHADOWCOPY") returned 10 [0099.673] GetCurrentThreadId () returned 0x9c4 [0099.673] ??0CHString@@QAE@XZ () returned 0xef764 [0099.673] malloc (_Size=0xc) returned 0x53f6e8 [0099.673] malloc (_Size=0xc) returned 0x53f700 [0099.673] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2d0b20, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xadc1e0 | out: ppNamespace=0xadc1e0*=0x2ed3e8) returned 0x0 [0099.743] free (_Block=0x53f700) [0099.743] free (_Block=0x53f6e8) [0099.743] CoSetProxyBlanket (pProxy=0x2ed3e8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0099.743] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.743] GetCurrentThreadId () returned 0x9c4 [0099.743] ??0CHString@@QAE@XZ () returned 0xef6fc [0099.743] malloc (_Size=0xc) returned 0x53f6e8 [0099.744] malloc (_Size=0xc) returned 0x53f700 [0099.744] malloc (_Size=0xc) returned 0x53f718 [0099.744] malloc (_Size=0xc) returned 0x53f730 [0099.744] SysStringLen (param_1="root\\cli") returned 0x8 [0099.744] SysStringLen (param_1="\\") returned 0x1 [0099.744] malloc (_Size=0xc) returned 0x53f748 [0099.744] SysStringLen (param_1="root\\cli\\") returned 0x9 [0099.744] SysStringLen (param_1="ms_409") returned 0x6 [0099.744] free (_Block=0x53f730) [0099.744] free (_Block=0x53f718) [0099.744] free (_Block=0x53f700) [0099.744] free (_Block=0x53f6e8) [0099.744] malloc (_Size=0xc) returned 0x53f6e8 [0099.744] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2d0b20, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xadc1e4 | out: ppNamespace=0xadc1e4*=0x2ed488) returned 0x0 [0099.750] free (_Block=0x53f6e8) [0099.750] free (_Block=0x53f748) [0099.750] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.750] GetCurrentThreadId () returned 0x9c4 [0099.750] ??0CHString@@QAE@XZ () returned 0xef768 [0099.750] malloc (_Size=0xc) returned 0x53f748 [0099.750] malloc (_Size=0xc) returned 0x53f6e8 [0099.750] malloc (_Size=0xc) returned 0x53f700 [0099.750] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0099.750] malloc (_Size=0x3a) returned 0x53ff88 [0099.750] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa91f7c, cbMultiByte=-1, lpWideCharStr=0x53ff88, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0099.751] free (_Block=0x53ff88) [0099.751] malloc (_Size=0xc) returned 0x53f718 [0099.751] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0099.751] SysStringLen (param_1="SHADOWCOPY") returned 0xa [0099.751] malloc (_Size=0xc) returned 0x53f730 [0099.751] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='SHADOWCOPY") returned 0x26 [0099.751] SysStringLen (param_1="'") returned 0x1 [0099.751] free (_Block=0x53f718) [0099.751] free (_Block=0x53f700) [0099.751] free (_Block=0x53f6e8) [0099.751] free (_Block=0x53f748) [0099.752] IWbemServices:GetObject (in: This=0x2ed3e8, strObjectPath="MSFT_CliAlias.FriendlyName='SHADOWCOPY'", lFlags=0, pCtx=0x0, ppObject=0xef764*=0x0, ppCallResult=0x0 | out: ppObject=0xef764*=0x31bdd8, ppCallResult=0x0) returned 0x0 [0099.759] malloc (_Size=0xc) returned 0x53f748 [0099.759] IWbemClassObject:Get (in: This=0x31bdd8, wszName="Target", lFlags=0, pVal=0xef724*(varType=0x0, wReserved1=0xe, wReserved2=0xe58c, wReserved3=0xac, varVal1=0xffffffff, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0 | out: pVal=0xef724*(varType=0x8, wReserved1=0xe, wReserved2=0xe58c, wReserved3=0xac, varVal1="Select * from Win32_ShadowCopy", varVal2=0xa9a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0099.759] free (_Block=0x53f748) [0099.759] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0099.759] malloc (_Size=0x3e) returned 0x53ff88 [0099.759] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0099.759] malloc (_Size=0xc) returned 0x53f748 [0099.759] IWbemClassObject:Get (in: This=0x31bdd8, wszName="PWhere", lFlags=0, pVal=0xef724*(varType=0x0, wReserved1=0xe, wReserved2=0xe58c, wReserved3=0xac, varVal1=0x2eaf74, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0 | out: pVal=0xef724*(varType=0x8, wReserved1=0xe, wReserved2=0xe58c, wReserved3=0xac, varVal1=" Where ID = '#'", varVal2=0xa9a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0099.759] free (_Block=0x53f748) [0099.759] lstrlenW (lpString=" Where ID = '#'") returned 15 [0099.759] malloc (_Size=0x20) returned 0x53fae8 [0099.759] lstrlenW (lpString=" Where ID = '#'") returned 15 [0099.759] malloc (_Size=0xc) returned 0x53f748 [0099.760] IWbemClassObject:Get (in: This=0x31bdd8, wszName="Connection", lFlags=0, pVal=0xef724*(varType=0x0, wReserved1=0xe, wReserved2=0xe58c, wReserved3=0xac, varVal1=0x304a1c, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0 | out: pVal=0xef724*(varType=0xd, wReserved1=0xe, wReserved2=0xe58c, wReserved3=0xac, varVal1=0x31c198, varVal2=0xa9a03c), pType=0x0, plFlavor=0x0) returned 0x0 [0099.760] free (_Block=0x53f748) [0099.760] IUnknown:QueryInterface (in: This=0x31c198, riid=0xa96b50*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0xef75c | out: ppvObject=0xef75c*=0x31c198) returned 0x0 [0099.760] GetCurrentThreadId () returned 0x9c4 [0099.760] ??0CHString@@QAE@XZ () returned 0xef6d8 [0099.760] malloc (_Size=0xc) returned 0x53f748 [0099.760] IWbemClassObject:Get (in: This=0x31c198, wszName="Namespace", lFlags=0, pVal=0xef6a8*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xef6a8*(varType=0x8, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0099.760] free (_Block=0x53f748) [0099.761] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0099.761] malloc (_Size=0x16) returned 0x53eba8 [0099.761] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0099.761] malloc (_Size=0xc) returned 0x53f748 [0099.761] IWbemClassObject:Get (in: This=0x31c198, wszName="Locale", lFlags=0, pVal=0xef6a8*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=0x3007ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xef6a8*(varType=0x8, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0099.761] free (_Block=0x53f748) [0099.761] lstrlenW (lpString="ms_409") returned 6 [0099.761] malloc (_Size=0xe) returned 0x53f748 [0099.761] lstrlenW (lpString="ms_409") returned 6 [0099.761] malloc (_Size=0xc) returned 0x53f6e8 [0099.761] IWbemClassObject:Get (in: This=0x31c198, wszName="User", lFlags=0, pVal=0xef6a8*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=0x3007ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xef6a8*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=0x3007ec, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0099.761] free (_Block=0x53f6e8) [0099.761] malloc (_Size=0xc) returned 0x53f6e8 [0099.761] IWbemClassObject:Get (in: This=0x31c198, wszName="Password", lFlags=0, pVal=0xef6a8*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=0x3007ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xef6a8*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=0x3007ec, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0099.761] free (_Block=0x53f6e8) [0099.761] malloc (_Size=0xc) returned 0x53f6e8 [0099.761] IWbemClassObject:Get (in: This=0x31c198, wszName="Server", lFlags=0, pVal=0xef6a8*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=0x3007ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xef6a8*(varType=0x8, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0099.762] free (_Block=0x53f6e8) [0099.762] lstrlenW (lpString=".") returned 1 [0099.762] malloc (_Size=0x4) returned 0x53fb10 [0099.762] lstrlenW (lpString=".") returned 1 [0099.762] malloc (_Size=0xc) returned 0x53f6e8 [0099.762] IWbemClassObject:Get (in: This=0x31c198, wszName="Authority", lFlags=0, pVal=0xef6a8*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=0x3007ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xef6a8*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x53, varVal1=0x3007ec, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0099.762] free (_Block=0x53f6e8) [0099.762] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.762] IUnknown:Release (This=0x31c198) returned 0x1 [0099.762] GetCurrentThreadId () returned 0x9c4 [0099.762] ??0CHString@@QAE@XZ () returned 0xef6d0 [0099.762] malloc (_Size=0xc) returned 0x53f6e8 [0099.762] IWbemClassObject:Get (in: This=0x31bdd8, wszName="__RELPATH", lFlags=0, pVal=0xef6b0*(varType=0x0, wReserved1=0x0, wReserved2=0xc198, wReserved3=0x31, varVal1=0xef6c8, varVal2=0x72a1ba69), pType=0x0, plFlavor=0x0 | out: pVal=0xef6b0*(varType=0x8, wReserved1=0x0, wReserved2=0xc198, wReserved3=0x31, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x72a1ba69), pType=0x0, plFlavor=0x0) returned 0x0 [0099.763] free (_Block=0x53f6e8) [0099.763] malloc (_Size=0xc) returned 0x53f6e8 [0099.763] GetCurrentThreadId () returned 0x9c4 [0099.763] ??0CHString@@QAE@XZ () returned 0xef660 [0099.763] ??0CHString@@QAE@PBG@Z () returned 0xef64c [0099.763] ??0CHString@@QAE@ABV0@@Z () returned 0xef5ec [0099.763] ?Empty@CHString@@QAEXXZ () returned 0x72b5d828 [0099.763] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x21d2268 [0099.763] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0099.763] ?Left@CHString@@QBE?AV1@H@Z () returned 0xef5cc [0099.763] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0xef5d0 [0099.763] ??YCHString@@QAEABV0@ABV0@@Z () returned 0xef64c [0099.763] ??1CHString@@QAE@XZ () returned 0x1 [0099.763] ??1CHString@@QAE@XZ () returned 0x1 [0099.763] ?Mid@CHString@@QBE?AV1@H@Z () returned 0xef5c8 [0099.763] ??4CHString@@QAEABV0@ABV0@@Z () returned 0xef5ec [0099.763] ??1CHString@@QAE@XZ () returned 0x21d22d0 [0099.763] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x21d22d0 [0099.763] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0099.763] ?Left@CHString@@QBE?AV1@H@Z () returned 0xef5cc [0099.763] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0xef5d0 [0099.763] ??YCHString@@QAEABV0@ABV0@@Z () returned 0xef64c [0099.763] ??1CHString@@QAE@XZ () returned 0x1 [0099.763] ??1CHString@@QAE@XZ () returned 0x1 [0099.763] ?Mid@CHString@@QBE?AV1@H@Z () returned 0xef5c8 [0099.763] ??4CHString@@QAEABV0@ABV0@@Z () returned 0xef5ec [0099.764] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.764] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x72b5d81c [0099.764] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.764] malloc (_Size=0xc) returned 0x53f700 [0099.764] malloc (_Size=0xc) returned 0x53f718 [0099.764] malloc (_Size=0xc) returned 0x53f760 [0099.764] malloc (_Size=0xc) returned 0x53f778 [0099.764] malloc (_Size=0xc) returned 0x53f790 [0099.764] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0099.764] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0099.764] malloc (_Size=0xc) returned 0x53f7a8 [0099.764] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0099.764] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0099.764] malloc (_Size=0xc) returned 0x53f7c0 [0099.764] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0099.764] SysStringLen (param_1="\"") returned 0x1 [0099.765] free (_Block=0x53f7a8) [0099.765] free (_Block=0x53f790) [0099.765] free (_Block=0x53f778) [0099.765] free (_Block=0x53f760) [0099.765] free (_Block=0x53f718) [0099.765] free (_Block=0x53f700) [0099.765] IWbemServices:GetObject (in: This=0x2ed488, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0xef668*=0x0, ppCallResult=0x0 | out: ppObject=0xef668*=0x31c578, ppCallResult=0x0) returned 0x0 [0099.766] malloc (_Size=0xc) returned 0x53f700 [0099.766] IWbemClassObject:Get (in: This=0x31c578, wszName="Text", lFlags=0, pVal=0xef614*(varType=0x0, wReserved1=0x2e, wReserved2=0x41ec, wReserved3=0x2d, varVal1=0x4e, varVal2=0xadc1e0), pType=0x0, plFlavor=0x0 | out: pVal=0xef614*(varType=0x2008, wReserved1=0x2e, wReserved2=0x41ec, wReserved3=0x2d, varVal1=0x31c738*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x3079f0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0xadc1e0), pType=0x0, plFlavor=0x0) returned 0x0 [0099.767] free (_Block=0x53f700) [0099.767] SafeArrayGetLBound (in: psa=0x31c738, nDim=0x1, plLbound=0xef62c | out: plLbound=0xef62c) returned 0x0 [0099.767] SafeArrayGetUBound (in: psa=0x31c738, nDim=0x1, plUbound=0xef628 | out: plUbound=0xef628) returned 0x0 [0099.767] SafeArrayGetElement (in: psa=0x31c738, rgIndices=0xef68c, pv=0xef654 | out: pv=0xef654) returned 0x0 [0099.767] malloc (_Size=0xc) returned 0x53f700 [0099.767] malloc (_Size=0xc) returned 0x53f718 [0099.767] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0099.767] free (_Block=0x53f700) [0099.767] IUnknown:Release (This=0x31c578) returned 0x0 [0099.767] free (_Block=0x53f7c0) [0099.767] ??1CHString@@QAE@XZ () returned 0x1 [0099.767] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.767] free (_Block=0x53f6e8) [0099.767] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.767] lstrlenW (lpString="Shadow copy management.") returned 23 [0099.767] malloc (_Size=0x30) returned 0x21d2268 [0099.767] lstrlenW (lpString="Shadow copy management.") returned 23 [0099.767] free (_Block=0x53f718) [0099.767] IUnknown:Release (This=0x31bdd8) returned 0x0 [0099.767] free (_Block=0x53f730) [0099.767] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.768] lstrlenW (lpString="PATH") returned 4 [0099.768] lstrlenW (lpString="/") returned 1 [0099.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="PATH", cchCount2=4) returned 1 [0099.768] lstrlenW (lpString="WHERE") returned 5 [0099.768] lstrlenW (lpString="/") returned 1 [0099.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="WHERE", cchCount2=5) returned 1 [0099.768] lstrlenW (lpString="(") returned 1 [0099.768] lstrlenW (lpString="/") returned 1 [0099.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="(", cchCount2=1) returned 3 [0099.768] lstrlenW (lpString="/") returned 1 [0099.768] lstrlenW (lpString="/") returned 1 [0099.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="/", cchCount2=1) returned 2 [0099.768] lstrlenW (lpString="?") returned 1 [0099.768] lstrlenW (lpString="nointeractive") returned 13 [0099.768] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="nointeractive", cchCount1=13, lpString2="?", cchCount2=1) returned 3 [0099.768] free (_Block=0x53f6d0) [0099.768] GetCurrentThreadId () returned 0x9c4 [0099.768] ??0CHString@@QAE@PBG@Z () returned 0xef804 [0099.768] ??YCHString@@QAEABV0@PBG@Z () returned 0xef804 [0099.768] malloc (_Size=0x800) returned 0x21d2328 [0099.768] LoadStringW (in: hInstance=0x0, uID=0xac5c, lpBuffer=0x21d2328, cchBufferMax=1024 | out: lpBuffer="Unexpected switch at this level.\r\n") returned 0x22 [0099.768] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Unexpected switch at this level.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0099.768] malloc (_Size=0x23) returned 0x21d2b30 [0099.768] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Unexpected switch at this level.\r\n", cchWideChar=-1, lpMultiByteStr=0x21d2b30, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Unexpected switch at this level.\r\n", lpUsedDefaultChar=0x0) returned 35 [0099.768] fprintf (in: _File=0x76d62940, _Format="%s" | out: _File=0x76d62940) returned 34 [0099.769] fflush (in: _File=0x76d62940 | out: _File=0x76d62940) returned 0 [0099.770] free (_Block=0x21d2b30) [0099.770] free (_Block=0x21d2328) [0099.770] ??1CHString@@QAE@XZ () returned 0x1 [0099.770] ??0CHString@@QAE@PBG@Z () returned 0xef824 [0099.770] ??YCHString@@QAEABV0@PBG@Z () returned 0xef824 [0099.770] GetCurrentThreadId () returned 0x9c4 [0099.770] GetLastError () returned 0x0 [0099.770] ??1CHString@@QAE@XZ () returned 0x1 [0099.770] free (_Block=0x53f6a0) [0099.770] free (_Block=0x53f608) [0099.770] free (_Block=0x53f5f0) [0099.770] free (_Block=0x53f5d8) [0099.771] free (_Block=0x533170) [0099.771] free (_Block=0x53eb68) [0099.771] free (_Block=0x21d2268) [0099.771] free (_Block=0x53ff88) [0099.771] free (_Block=0x53f748) [0099.771] free (_Block=0x53eba8) [0099.771] free (_Block=0x53fb10) [0099.771] free (_Block=0x532e38) [0099.772] free (_Block=0x53fae8) [0099.772] ?Empty@CHString@@QAEXXZ () returned 0x72b5d81c [0099.772] free (_Block=0x53fa88) [0099.772] free (_Block=0x53eb88) [0099.772] free (_Block=0x53fad8) [0099.772] free (_Block=0x53fb20) [0099.772] free (_Block=0x533f68) [0099.772] free (_Block=0x532728) [0099.772] free (_Block=0x532770) [0099.772] free (_Block=0x5327b8) [0099.772] free (_Block=0x532810) [0099.772] free (_Block=0x532e20) [0099.772] free (_Block=0x53e8a8) [0099.773] free (_Block=0x532e08) [0099.773] free (_Block=0x53e888) [0099.773] free (_Block=0x5329f0) [0099.773] free (_Block=0x53e868) [0099.773] free (_Block=0x532948) [0099.773] free (_Block=0x532960) [0099.773] free (_Block=0x532910) [0099.773] free (_Block=0x532928) [0099.773] free (_Block=0x532980) [0099.773] free (_Block=0x532998) [0099.773] free (_Block=0x5329b8) [0099.773] free (_Block=0x5329d0) [0099.773] free (_Block=0x5328a0) [0099.773] free (_Block=0x5328b8) [0099.773] free (_Block=0x532868) [0099.773] free (_Block=0x532880) [0099.773] free (_Block=0x5328d8) [0099.773] free (_Block=0x5328f0) [0099.774] free (_Block=0x532830) [0099.774] free (_Block=0x532848) [0099.774] free (_Block=0x5327d8) [0099.774] free (_Block=0x533fb0) [0099.775] free (_Block=0x21d0390) [0099.775] WbemLocator:IUnknown:Release (This=0x2ed488) returned 0x0 [0099.775] WbemLocator:IUnknown:Release (This=0x2ed3e8) returned 0x0 [0099.776] WbemLocator:IUnknown:Release (This=0x2d0b20) returned 0x1 [0099.776] ?Empty@CHString@@QAEXXZ () returned 0x72b5d81c [0099.776] WbemLocator:IUnknown:Release (This=0x2d0b20) returned 0x0 [0099.776] free (_Block=0x53f578) [0099.776] free (_Block=0x53f590) [0099.776] free (_Block=0x53eb28) [0099.776] free (_Block=0x53f5a8) [0099.776] free (_Block=0x53f5c0) [0099.776] free (_Block=0x53eb48) [0099.776] free (_Block=0x53f458) [0099.776] free (_Block=0x53f470) [0099.776] free (_Block=0x53ea68) [0099.776] free (_Block=0x53f488) [0099.776] free (_Block=0x53f4a0) [0099.777] free (_Block=0x53ea88) [0099.777] free (_Block=0x53f3f8) [0099.777] free (_Block=0x53f410) [0099.777] free (_Block=0x53ea28) [0099.777] free (_Block=0x53f428) [0099.777] free (_Block=0x53f440) [0099.777] free (_Block=0x53ea48) [0099.777] free (_Block=0x53f518) [0099.777] free (_Block=0x53f530) [0099.777] free (_Block=0x53eae8) [0099.777] free (_Block=0x53f548) [0099.777] free (_Block=0x53f560) [0099.777] free (_Block=0x53eb08) [0099.777] free (_Block=0x53f398) [0099.777] free (_Block=0x53f3b0) [0099.777] free (_Block=0x53e9e8) [0099.777] free (_Block=0x53f3c8) [0099.778] free (_Block=0x53f3e0) [0099.778] free (_Block=0x53ea08) [0099.778] free (_Block=0x53f4b8) [0099.778] free (_Block=0x53f4d0) [0099.778] free (_Block=0x53eaa8) [0099.778] free (_Block=0x53f4e8) [0099.778] free (_Block=0x53f500) [0099.778] free (_Block=0x53eac8) [0099.778] free (_Block=0x53f308) [0099.778] free (_Block=0x53f320) [0099.778] free (_Block=0x53e988) [0099.778] free (_Block=0x533140) [0099.778] free (_Block=0x533158) [0099.778] free (_Block=0x53e8e8) [0099.778] free (_Block=0x532e80) [0099.778] free (_Block=0x532e98) [0099.778] free (_Block=0x53e8c8) [0099.779] free (_Block=0x53f278) [0099.779] free (_Block=0x53f290) [0099.779] free (_Block=0x53e928) [0099.779] free (_Block=0x53f338) [0099.779] free (_Block=0x53f350) [0099.779] free (_Block=0x53e9a8) [0099.779] free (_Block=0x53f248) [0099.779] free (_Block=0x53f260) [0099.779] free (_Block=0x53e908) [0099.779] free (_Block=0x53f2a8) [0099.779] free (_Block=0x53f2c0) [0099.779] free (_Block=0x53e948) [0099.779] free (_Block=0x53f2d8) [0099.779] free (_Block=0x53f2f0) [0099.779] free (_Block=0x53e968) [0099.780] free (_Block=0x53f368) [0099.780] free (_Block=0x53f380) [0099.780] free (_Block=0x53e9c8) [0099.780] CoUninitialize () [0099.810] exit (_Code=44124) [0099.811] free (_Block=0x53f630) [0099.811] free (_Block=0x533e38) [0099.811] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.811] free (_Block=0x532f58) [0099.811] free (_Block=0x533fd8) [0099.811] free (_Block=0x533e18) [0099.811] free (_Block=0x533df8) [0099.811] free (_Block=0x533dc8) [0099.811] free (_Block=0x533da8) [0099.812] free (_Block=0x5313d8) [0099.812] free (_Block=0x533d68) [0099.812] free (_Block=0x5313b8) [0099.812] ??1CHString@@QAE@XZ () returned 0x72b5d81c [0099.812] free (_Block=0x53f6b8) Thread: id = 112 os_tid = 0x8ec Thread: id = 113 os_tid = 0x9c0 Thread: id = 114 os_tid = 0x8e4 Thread: id = 115 os_tid = 0x8e0 Process: id = "10" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x4562e000" os_pid = "0x9b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xae4" cmd_line = "vssadmin.exe Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2142 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2143 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2144 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2145 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2146 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2147 start_va = 0x1d0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2148 start_va = 0x280000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 2149 start_va = 0x570000 end_va = 0x58efff monitored = 0 entry_point = 0x581f03 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe") Region: id = 2150 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2151 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2152 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2153 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2154 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2155 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2156 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2157 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2158 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2159 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2160 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2161 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2162 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2163 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 2164 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 2165 start_va = 0x590000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 2166 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2167 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2168 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2169 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2170 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2171 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2172 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2173 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2174 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2175 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2176 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2177 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2178 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2179 start_va = 0x72b70000 end_va = 0x72b83fff monitored = 0 entry_point = 0x72b71da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 2180 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2181 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2182 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2183 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2184 start_va = 0x72ba0000 end_va = 0x72baffff monitored = 0 entry_point = 0x72ba1270 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll") Region: id = 2185 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2186 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2187 start_va = 0x72a50000 end_va = 0x72b65fff monitored = 0 entry_point = 0x72a51590 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll") Region: id = 2188 start_va = 0x7d0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 2189 start_va = 0x7d0000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 2190 start_va = 0x9c0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 2191 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2192 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2193 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2194 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2195 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 2196 start_va = 0xb60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 2197 start_va = 0x30000 end_va = 0x3cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui") Region: id = 2198 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2199 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2200 start_va = 0x210000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2201 start_va = 0x2c0000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2202 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2203 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 2204 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2205 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 2206 start_va = 0x300000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2207 start_va = 0x4f0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2208 start_va = 0x742b0000 end_va = 0x742c6fff monitored = 0 entry_point = 0x742b3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2209 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 2210 start_va = 0x120000 end_va = 0x15bfff monitored = 0 entry_point = 0x12128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2211 start_va = 0x120000 end_va = 0x15bfff monitored = 0 entry_point = 0x12128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2212 start_va = 0x120000 end_va = 0x15bfff monitored = 0 entry_point = 0x12128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2213 start_va = 0x120000 end_va = 0x15bfff monitored = 0 entry_point = 0x12128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2214 start_va = 0x120000 end_va = 0x15bfff monitored = 0 entry_point = 0x12128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2215 start_va = 0x74270000 end_va = 0x742aafff monitored = 0 entry_point = 0x7427128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2216 start_va = 0x1f60000 end_va = 0x222efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2217 start_va = 0x743e0000 end_va = 0x743edfff monitored = 0 entry_point = 0x743e1235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 2218 start_va = 0x3c0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2219 start_va = 0x650000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 2220 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 2221 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 2222 start_va = 0x140000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 2223 start_va = 0x980000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 2224 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 2225 start_va = 0x590000 end_va = 0x64ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2226 start_va = 0x340000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2227 start_va = 0x120000 end_va = 0x127fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui") Thread: id = 116 os_tid = 0xa5c Thread: id = 117 os_tid = 0xa58 Thread: id = 118 os_tid = 0xa4c Thread: id = 119 os_tid = 0xa48 Thread: id = 120 os_tid = 0xa44 Process: id = "11" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x43133000" os_pid = "0xb64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xae4" cmd_line = "wmic.exe SHADOWCOPY /nointeractive" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2228 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2229 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2230 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2231 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2232 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2233 start_va = 0x110000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2234 start_va = 0x220000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 2235 start_va = 0x5a0000 end_va = 0x602fff monitored = 1 entry_point = 0x5dd81a region_type = mapped_file name = "wmic.exe" filename = "\\Windows\\SysWOW64\\wbem\\WMIC.exe" (normalized: "c:\\windows\\syswow64\\wbem\\wmic.exe") Region: id = 2236 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2237 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2238 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2239 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2240 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2241 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2242 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2243 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2244 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2245 start_va = 0x410000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 2246 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2247 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2248 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2249 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 2250 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 2251 start_va = 0x610000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2252 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2253 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2254 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2255 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2256 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2257 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2258 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2259 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2260 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2261 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2262 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2263 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2264 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2265 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2266 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2267 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2268 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2269 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2270 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2271 start_va = 0x72b70000 end_va = 0x72ba4fff monitored = 0 entry_point = 0x72b8ee80 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 2272 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2273 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2274 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 2275 start_va = 0x72c10000 end_va = 0x72c17fff monitored = 0 entry_point = 0x72c110e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2276 start_va = 0x74540000 end_va = 0x7455bfff monitored = 0 entry_point = 0x7454a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 2277 start_va = 0x74530000 end_va = 0x74536fff monitored = 0 entry_point = 0x7453128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 2278 start_va = 0x260000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2279 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2280 start_va = 0x610000 end_va = 0x797fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 2281 start_va = 0x7c0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 2282 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2283 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2284 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2285 start_va = 0x8c0000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 2286 start_va = 0xa50000 end_va = 0x1e4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 2287 start_va = 0x30000 end_va = 0x3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmic.exe.mui" filename = "\\Windows\\SysWOW64\\wbem\\en-US\\WMIC.exe.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmic.exe.mui") Region: id = 2288 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2289 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2290 start_va = 0x1d0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2291 start_va = 0x300000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2292 start_va = 0x3d0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2293 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2294 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 2295 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2296 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 2297 start_va = 0x72b60000 end_va = 0x72b6afff monitored = 0 entry_point = 0x72b652a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2298 start_va = 0x72af0000 end_va = 0x72b50fff monitored = 0 entry_point = 0x72b2bf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\SysWOW64\\wbemcomn2.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn2.dll") Region: id = 2299 start_va = 0x75300000 end_va = 0x75316fff monitored = 0 entry_point = 0x753035fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2300 start_va = 0x1e50000 end_va = 0x211efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2301 start_va = 0x72cb0000 end_va = 0x72de2fff monitored = 0 entry_point = 0x72cb145e region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll") Region: id = 2302 start_va = 0x2120000 end_va = 0x22cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 2303 start_va = 0x160000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2304 start_va = 0x22d0000 end_va = 0x24affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022d0000" filename = "" Region: id = 2305 start_va = 0x24b0000 end_va = 0x26cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 2306 start_va = 0x260000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2307 start_va = 0x340000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2308 start_va = 0x26d0000 end_va = 0x28cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 2309 start_va = 0x490000 end_va = 0x54ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2310 start_va = 0x28d0000 end_va = 0x2ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 2311 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\SysWOW64\\msxml3r.dll" (normalized: "c:\\windows\\syswow64\\msxml3r.dll") Region: id = 2312 start_va = 0x190000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2313 start_va = 0x170000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2314 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 2315 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 2316 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 2317 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2318 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2319 start_va = 0x2120000 end_va = 0x221ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 2320 start_va = 0x2290000 end_va = 0x22cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 2321 start_va = 0x210000 end_va = 0x211fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 2322 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 2323 start_va = 0x260000 end_va = 0x260fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2324 start_va = 0x270000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 2325 start_va = 0x2b0000 end_va = 0x2b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2326 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2327 start_va = 0x260000 end_va = 0x260fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 2328 start_va = 0x745e0000 end_va = 0x745eafff monitored = 0 entry_point = 0x745e1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2329 start_va = 0x2c0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 2330 start_va = 0x2d0000 end_va = 0x2d7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 2331 start_va = 0x2e0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 2332 start_va = 0x74560000 end_va = 0x745a3fff monitored = 0 entry_point = 0x745763f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 2333 start_va = 0x24b0000 end_va = 0x265ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 2334 start_va = 0x2690000 end_va = 0x26cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 2335 start_va = 0x743f0000 end_va = 0x7446ffff monitored = 0 entry_point = 0x744037c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2336 start_va = 0x22d0000 end_va = 0x245ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022d0000" filename = "" Region: id = 2337 start_va = 0x2470000 end_va = 0x24affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 2338 start_va = 0x22d0000 end_va = 0x23aefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022d0000" filename = "" Region: id = 2339 start_va = 0x2420000 end_va = 0x245ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2340 start_va = 0x24e0000 end_va = 0x251ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 2341 start_va = 0x2570000 end_va = 0x25affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 2342 start_va = 0x2620000 end_va = 0x265ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 2343 start_va = 0x742b0000 end_va = 0x742c6fff monitored = 0 entry_point = 0x742b3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2344 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 2345 start_va = 0x340000 end_va = 0x37bfff monitored = 0 entry_point = 0x34128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2346 start_va = 0x380000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 2347 start_va = 0x340000 end_va = 0x37bfff monitored = 0 entry_point = 0x34128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2348 start_va = 0x340000 end_va = 0x37bfff monitored = 0 entry_point = 0x34128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2349 start_va = 0x340000 end_va = 0x37bfff monitored = 0 entry_point = 0x34128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2350 start_va = 0x340000 end_va = 0x37bfff monitored = 0 entry_point = 0x34128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2351 start_va = 0x74270000 end_va = 0x742aafff monitored = 0 entry_point = 0x7427128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2352 start_va = 0x743e0000 end_va = 0x743edfff monitored = 0 entry_point = 0x743e1235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 2353 start_va = 0x23e0000 end_va = 0x241ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 2354 start_va = 0x2700000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 2355 start_va = 0x2850000 end_va = 0x288ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 2356 start_va = 0x2890000 end_va = 0x28cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2357 start_va = 0x2d00000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 2358 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 2359 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 2360 start_va = 0x72ae0000 end_va = 0x72aeefff monitored = 0 entry_point = 0x72ae93d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 2361 start_va = 0x72a30000 end_va = 0x72ad5fff monitored = 0 entry_point = 0x72a9a2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 2362 start_va = 0x72a10000 end_va = 0x72a27fff monitored = 0 entry_point = 0x72a11335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 2363 start_va = 0x2f0000 end_va = 0x2fcfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Thread: id = 121 os_tid = 0x8d0 [0100.262] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25fa54 | out: lpSystemTimeAsFileTime=0x25fa54*(dwLowDateTime=0x53759140, dwHighDateTime=0x1d7fb45)) [0100.262] GetCurrentProcessId () returned 0xb64 [0100.262] GetCurrentThreadId () returned 0x8d0 [0100.262] GetTickCount () returned 0xec395c [0100.262] QueryPerformanceCounter (in: lpPerformanceCount=0x25fa4c | out: lpPerformanceCount=0x25fa4c*=1564356597224) returned 1 [0100.263] GetModuleHandleA (lpModuleName=0x0) returned 0x5a0000 [0100.263] __set_app_type (_Type=0x1) [0100.263] __p__fmode () returned 0x76d631f4 [0100.263] __p__commode () returned 0x76d631fc [0100.263] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x5ddc15) returned 0x0 [0100.263] __wgetmainargs (in: _Argc=0x5ec5e8, _Argv=0x5ec5f0, _Env=0x5ec5ec, _DoWildCard=0, _StartInfo=0x5ec5fc | out: _Argc=0x5ec5e8, _Argv=0x5ec5f0, _Env=0x5ec5ec) returned 0 [0100.264] ??0CHString@@QAE@XZ () returned 0x5ec28c [0100.265] malloc (_Size=0x18) returned 0x3d13b8 [0100.265] malloc (_Size=0x38) returned 0x3d3d68 [0100.265] malloc (_Size=0x28) returned 0x3d13d8 [0100.265] malloc (_Size=0x18) returned 0x3d3da8 [0100.265] malloc (_Size=0x24) returned 0x3d3dc8 [0100.265] malloc (_Size=0x18) returned 0x3d3df8 [0100.265] malloc (_Size=0x18) returned 0x3d3e18 [0100.265] ??0CHString@@QAE@XZ () returned 0x5ec594 [0100.265] malloc (_Size=0x18) returned 0x3d3e38 [0100.265] ?Empty@CHString@@QAEXXZ () returned 0x72b9d81c [0100.265] SetConsoleCtrlHandler (HandlerRoutine=0x5d6b6f, Add=1) returned 1 [0100.265] _onexit (_Func=0x5e2f1f) returned 0x5e2f1f [0100.266] _onexit (_Func=0x5e2f2e) returned 0x5e2f2e [0100.266] _onexit (_Func=0x5e2f42) returned 0x5e2f42 [0100.266] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.266] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0100.267] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0100.299] CoCreateInstance (in: rclsid=0x5a6c60*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x5a6b90*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x5ec1b0 | out: ppv=0x5ec1b0*=0x7e0b20) returned 0x0 [0100.318] GetCurrentProcess () returned 0xffffffff [0100.318] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x25f8fc | out: TokenHandle=0x25f8fc*=0x11c) returned 1 [0100.319] GetTokenInformation (in: TokenHandle=0x11c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x25f8f8 | out: TokenInformation=0x0, ReturnLength=0x25f8f8) returned 0 [0100.319] malloc (_Size=0x118) returned 0x3d2728 [0100.319] GetTokenInformation (in: TokenHandle=0x11c, TokenInformationClass=0x3, TokenInformation=0x3d2728, TokenInformationLength=0x118, ReturnLength=0x25f8f8 | out: TokenInformation=0x3d2728, ReturnLength=0x25f8f8) returned 1 [0100.319] AdjustTokenPrivileges (in: TokenHandle=0x11c, DisableAllPrivileges=0, NewState=0x3d2728*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0100.319] free (_Block=0x3d2728) [0100.319] CloseHandle (hObject=0x11c) returned 1 [0100.319] malloc (_Size=0x40) returned 0x3d3f68 [0100.320] malloc (_Size=0x40) returned 0x3d2728 [0100.320] malloc (_Size=0x40) returned 0x3d2770 [0100.320] malloc (_Size=0x20a) returned 0x3d27b8 [0100.320] GetSystemDirectoryW (in: lpBuffer=0x3d27b8, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.320] free (_Block=0x3d27b8) [0100.320] malloc (_Size=0xc) returned 0x3d3fb0 [0100.320] malloc (_Size=0xc) returned 0x3d3fc8 [0100.320] malloc (_Size=0xc) returned 0x3d27b8 [0100.320] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0100.320] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0100.321] free (_Block=0x3d3fb0) [0100.321] free (_Block=0x3d3fc8) [0100.321] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x769b0000 [0100.322] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadUILanguage") returned 0x769da827 [0100.322] SetThreadUILanguage (LangId=0x0) returned 0x409 [0100.323] FreeLibrary (hLibModule=0x769b0000) returned 1 [0100.323] free (_Block=0x3d27b8) [0100.323] _vsnwprintf (in: _Buffer=0x3d2770, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x25f858 | out: _Buffer="ms_409") returned 6 [0100.323] malloc (_Size=0x20) returned 0x3d3fb0 [0100.323] GetComputerNameW (in: lpBuffer=0x3d3fb0, nSize=0x25f8b0 | out: lpBuffer="Q9IATRKPRH", nSize=0x25f8b0) returned 1 [0100.324] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.324] malloc (_Size=0x16) returned 0x3d27b8 [0100.324] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.324] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x25f8ec | out: lpNameBuffer=0x0, nSize=0x25f8ec) returned 0x0 [0100.325] GetLastError () returned 0xea [0100.325] malloc (_Size=0x2c) returned 0x3d27d8 [0100.325] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3d27d8, nSize=0x25f8ec | out: lpNameBuffer="Q9IATRKPRH\\kEecfMwgj", nSize=0x25f8ec) returned 0x1 [0100.325] lstrlenW (lpString="") returned 0 [0100.325] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.326] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="", cchCount2=0) returned 3 [0100.329] lstrlenW (lpString=".") returned 1 [0100.329] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.329] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2=".", cchCount2=1) returned 3 [0100.329] lstrlenW (lpString="LOCALHOST") returned 9 [0100.329] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.330] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="LOCALHOST", cchCount2=9) returned 3 [0100.330] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.330] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.330] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="Q9IATRKPRH", cchCount2=10) returned 2 [0100.330] free (_Block=0x3d27b8) [0100.330] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.330] malloc (_Size=0x16) returned 0x3d27b8 [0100.330] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.330] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.330] malloc (_Size=0x16) returned 0x3d2810 [0100.330] lstrlenW (lpString="Q9IATRKPRH") returned 10 [0100.330] malloc (_Size=0x4) returned 0x3d3fd8 [0100.330] malloc (_Size=0xc) returned 0x3d2830 [0100.330] malloc (_Size=0x18) returned 0x3d2848 [0100.330] malloc (_Size=0xc) returned 0x3d2868 [0100.330] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.330] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.330] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.330] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.330] malloc (_Size=0x18) returned 0x3d2880 [0100.331] malloc (_Size=0xc) returned 0x3d28a0 [0100.331] SysStringLen (param_1="IMPERSONATE") returned 0xb [0100.331] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.331] SysStringLen (param_1="IMPERSONATE") returned 0xb [0100.331] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.331] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.331] SysStringLen (param_1="IMPERSONATE") returned 0xb [0100.331] malloc (_Size=0x18) returned 0x3d28b8 [0100.331] malloc (_Size=0xc) returned 0x3d28d8 [0100.331] SysStringLen (param_1="DELEGATE") returned 0x8 [0100.331] SysStringLen (param_1="IDENTIFY") returned 0x8 [0100.331] SysStringLen (param_1="DELEGATE") returned 0x8 [0100.331] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.331] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0100.331] SysStringLen (param_1="DELEGATE") returned 0x8 [0100.331] malloc (_Size=0x18) returned 0x3d28f0 [0100.331] malloc (_Size=0xc) returned 0x3d2910 [0100.331] malloc (_Size=0x18) returned 0x3d2928 [0100.332] malloc (_Size=0xc) returned 0x3d2948 [0100.332] SysStringLen (param_1="NONE") returned 0x4 [0100.332] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.332] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.332] SysStringLen (param_1="NONE") returned 0x4 [0100.332] malloc (_Size=0x18) returned 0x3d2960 [0100.332] malloc (_Size=0xc) returned 0x3d2980 [0100.332] SysStringLen (param_1="CONNECT") returned 0x7 [0100.332] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.332] malloc (_Size=0x18) returned 0x3d2998 [0100.332] malloc (_Size=0xc) returned 0x3d29b8 [0100.333] SysStringLen (param_1="CALL") returned 0x4 [0100.333] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.333] SysStringLen (param_1="CALL") returned 0x4 [0100.333] SysStringLen (param_1="CONNECT") returned 0x7 [0100.333] malloc (_Size=0x18) returned 0x3d29d0 [0100.333] malloc (_Size=0xc) returned 0x3d29f0 [0100.333] SysStringLen (param_1="PKT") returned 0x3 [0100.334] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.334] SysStringLen (param_1="PKT") returned 0x3 [0100.334] SysStringLen (param_1="NONE") returned 0x4 [0100.334] SysStringLen (param_1="NONE") returned 0x4 [0100.334] SysStringLen (param_1="PKT") returned 0x3 [0100.334] malloc (_Size=0x18) returned 0x3de868 [0100.334] malloc (_Size=0xc) returned 0x3d2e08 [0100.334] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.334] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.334] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.334] SysStringLen (param_1="NONE") returned 0x4 [0100.334] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.334] SysStringLen (param_1="PKT") returned 0x3 [0100.334] SysStringLen (param_1="PKT") returned 0x3 [0100.334] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.334] malloc (_Size=0x18) returned 0x3de888 [0100.334] malloc (_Size=0xc) returned 0x3d2e20 [0100.334] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0100.334] SysStringLen (param_1="DEFAULT") returned 0x7 [0100.334] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0100.334] SysStringLen (param_1="PKT") returned 0x3 [0100.335] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0100.335] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.335] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0100.335] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0100.335] malloc (_Size=0x18) returned 0x3de8a8 [0100.335] malloc (_Size=0x40) returned 0x3d2e38 [0100.335] malloc (_Size=0x20a) returned 0x3d2e80 [0100.335] GetSystemDirectoryW (in: lpBuffer=0x3d2e80, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0100.335] free (_Block=0x3d2e80) [0100.335] malloc (_Size=0xc) returned 0x3d2e80 [0100.335] malloc (_Size=0xc) returned 0x3d2e98 [0100.335] malloc (_Size=0xc) returned 0x3d2eb0 [0100.336] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0100.336] SysStringLen (param_1="\\wbem\\") returned 0x6 [0100.336] free (_Block=0x3d2e80) [0100.336] free (_Block=0x3d2e98) [0100.336] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0100.336] free (_Block=0x3d2eb0) [0100.336] malloc (_Size=0xc) returned 0x3d2e80 [0100.336] malloc (_Size=0xc) returned 0x3d2e98 [0100.336] malloc (_Size=0xc) returned 0x3d2eb0 [0100.336] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0100.336] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0100.336] free (_Block=0x3d2e80) [0100.336] free (_Block=0x3d2e98) [0100.337] GetCurrentThreadId () returned 0x8d0 [0100.337] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x25f408 | out: phkResult=0x25f408*=0x120) returned 0x0 [0100.337] RegQueryValueExW (in: hKey=0x120, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x25f414, lpcbData=0x25f410*=0x400 | out: lpType=0x0, lpData=0x25f414*=0x30, lpcbData=0x25f410*=0x4) returned 0x0 [0100.337] _wcsicmp (_String1="0", _String2="1") returned -1 [0100.337] _wcsicmp (_String1="0", _String2="2") returned -2 [0100.337] RegQueryValueExW (in: hKey=0x120, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x25f410*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x25f410*=0x42) returned 0x0 [0100.337] malloc (_Size=0x86) returned 0x3d2ec8 [0100.337] RegQueryValueExW (in: hKey=0x120, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3d2ec8, lpcbData=0x25f410*=0x42 | out: lpType=0x0, lpData=0x3d2ec8*=0x25, lpcbData=0x25f410*=0x42) returned 0x0 [0100.337] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0100.337] malloc (_Size=0x42) returned 0x3d2f58 [0100.337] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0100.337] RegQueryValueExW (in: hKey=0x120, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x25f414, lpcbData=0x25f410*=0x400 | out: lpType=0x0, lpData=0x25f414*=0x36, lpcbData=0x25f410*=0xc) returned 0x0 [0100.338] _wtol (_String="65536") returned 65536 [0100.338] free (_Block=0x3d2ec8) [0100.338] RegCloseKey (hKey=0x0) returned 0x6 [0100.338] CoCreateInstance (in: rclsid=0x5a6d40*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x5a6d20*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x25f8a4 | out: ppv=0x25f8a4*=0x2294630) returned 0x0 [0100.358] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x2294630, xmlSource=0x25f828*(varType=0x8, wReserved1=0xffff, wReserved2=0x387a, wReserved3=0x77a1, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x25f88c | out: isSuccessful=0x25f88c*=0xffff) returned 0x0 [0100.482] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x2294630, DOMElement=0x25f8a0 | out: DOMElement=0x25f8a0*=0x2298c58) returned 0x0 [0100.483] malloc (_Size=0xc) returned 0x3d2e80 [0100.483] IXMLDOMElement:getElementsByTagName (in: This=0x2298c58, tagName="XSLFORMAT", resultList=0x25f89c | out: resultList=0x25f89c*=0x2298e80) returned 0x0 [0100.484] free (_Block=0x3d2e80) [0100.484] IXMLDOMNodeList:get_length (in: This=0x2298e80, listLength=0x25f884 | out: listLength=0x25f884*=21) returned 0x0 [0100.484] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=0, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.484] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="texttable.xsl") returned 0x0 [0100.484] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.485] malloc (_Size=0xc) returned 0x3d2e80 [0100.485] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.485] free (_Block=0x3d2e80) [0100.485] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0100.485] malloc (_Size=0xc) returned 0x3d2e80 [0100.485] malloc (_Size=0xc) returned 0x3d2e98 [0100.485] malloc (_Size=0x18) returned 0x3de8c8 [0100.485] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.485] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.486] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.486] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=1, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.486] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="textvaluelist.xsl") returned 0x0 [0100.486] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.486] malloc (_Size=0xc) returned 0x3d3140 [0100.486] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.486] free (_Block=0x3d3140) [0100.486] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0100.486] malloc (_Size=0xc) returned 0x3d3140 [0100.486] malloc (_Size=0xc) returned 0x3d3158 [0100.486] SysStringLen (param_1="VALUE") returned 0x5 [0100.486] SysStringLen (param_1="TABLE") returned 0x5 [0100.486] SysStringLen (param_1="TABLE") returned 0x5 [0100.486] SysStringLen (param_1="VALUE") returned 0x5 [0100.486] malloc (_Size=0x18) returned 0x3de8e8 [0100.487] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.487] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.487] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.487] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=2, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.487] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="textvaluelist.xsl") returned 0x0 [0100.487] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.487] malloc (_Size=0xc) returned 0x3df248 [0100.487] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.487] free (_Block=0x3df248) [0100.487] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="LIST", varVal2=0x0)) returned 0x0 [0100.487] malloc (_Size=0xc) returned 0x3df248 [0100.488] malloc (_Size=0xc) returned 0x3df260 [0100.488] SysStringLen (param_1="LIST") returned 0x4 [0100.488] SysStringLen (param_1="TABLE") returned 0x5 [0100.488] malloc (_Size=0x18) returned 0x3de908 [0100.488] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.488] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.488] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.488] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=3, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.488] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="rawxml.xsl") returned 0x0 [0100.488] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.488] malloc (_Size=0xc) returned 0x3df278 [0100.488] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.489] free (_Block=0x3df278) [0100.489] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0100.489] malloc (_Size=0xc) returned 0x3df278 [0100.489] malloc (_Size=0xc) returned 0x3df290 [0100.489] SysStringLen (param_1="RAWXML") returned 0x6 [0100.489] SysStringLen (param_1="TABLE") returned 0x5 [0100.489] SysStringLen (param_1="RAWXML") returned 0x6 [0100.489] SysStringLen (param_1="LIST") returned 0x4 [0100.489] SysStringLen (param_1="LIST") returned 0x4 [0100.489] SysStringLen (param_1="RAWXML") returned 0x6 [0100.489] malloc (_Size=0x18) returned 0x3de928 [0100.489] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.489] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.489] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.489] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=4, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.490] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="htable.xsl") returned 0x0 [0100.490] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.490] malloc (_Size=0xc) returned 0x3df2a8 [0100.490] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.490] free (_Block=0x3df2a8) [0100.490] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0100.490] malloc (_Size=0xc) returned 0x3df2a8 [0100.490] malloc (_Size=0xc) returned 0x3df2c0 [0100.490] SysStringLen (param_1="HTABLE") returned 0x6 [0100.490] SysStringLen (param_1="TABLE") returned 0x5 [0100.490] SysStringLen (param_1="HTABLE") returned 0x6 [0100.490] SysStringLen (param_1="LIST") returned 0x4 [0100.490] malloc (_Size=0x18) returned 0x3de948 [0100.490] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.491] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.491] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.491] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=5, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.491] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="hform.xsl") returned 0x0 [0100.491] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.491] malloc (_Size=0xc) returned 0x3df2d8 [0100.491] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.491] free (_Block=0x3df2d8) [0100.491] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0100.491] malloc (_Size=0xc) returned 0x3df2d8 [0100.491] malloc (_Size=0xc) returned 0x3df2f0 [0100.491] SysStringLen (param_1="HFORM") returned 0x5 [0100.491] SysStringLen (param_1="TABLE") returned 0x5 [0100.491] SysStringLen (param_1="HFORM") returned 0x5 [0100.491] SysStringLen (param_1="LIST") returned 0x4 [0100.491] SysStringLen (param_1="HFORM") returned 0x5 [0100.491] SysStringLen (param_1="HTABLE") returned 0x6 [0100.491] malloc (_Size=0x18) returned 0x3de968 [0100.492] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.492] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.492] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.492] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=6, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.492] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="xml.xsl") returned 0x0 [0100.492] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.492] malloc (_Size=0xc) returned 0x3df308 [0100.492] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.492] free (_Block=0x3df308) [0100.492] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="XML", varVal2=0x0)) returned 0x0 [0100.492] malloc (_Size=0xc) returned 0x3df308 [0100.492] malloc (_Size=0xc) returned 0x3df320 [0100.492] SysStringLen (param_1="XML") returned 0x3 [0100.492] SysStringLen (param_1="TABLE") returned 0x5 [0100.492] SysStringLen (param_1="XML") returned 0x3 [0100.492] SysStringLen (param_1="VALUE") returned 0x5 [0100.492] SysStringLen (param_1="VALUE") returned 0x5 [0100.492] SysStringLen (param_1="XML") returned 0x3 [0100.492] malloc (_Size=0x18) returned 0x3de988 [0100.493] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.493] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.493] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.493] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=7, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.493] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="mof.xsl") returned 0x0 [0100.493] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.493] malloc (_Size=0xc) returned 0x3df338 [0100.493] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.493] free (_Block=0x3df338) [0100.493] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="MOF", varVal2=0x0)) returned 0x0 [0100.493] malloc (_Size=0xc) returned 0x3df338 [0100.493] malloc (_Size=0xc) returned 0x3df350 [0100.493] SysStringLen (param_1="MOF") returned 0x3 [0100.493] SysStringLen (param_1="TABLE") returned 0x5 [0100.493] SysStringLen (param_1="MOF") returned 0x3 [0100.493] SysStringLen (param_1="LIST") returned 0x4 [0100.493] SysStringLen (param_1="MOF") returned 0x3 [0100.494] SysStringLen (param_1="RAWXML") returned 0x6 [0100.494] SysStringLen (param_1="LIST") returned 0x4 [0100.494] SysStringLen (param_1="MOF") returned 0x3 [0100.494] malloc (_Size=0x18) returned 0x3de9a8 [0100.494] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.494] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.494] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.494] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=8, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.494] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="csv.xsl") returned 0x0 [0100.494] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.494] malloc (_Size=0xc) returned 0x3df368 [0100.494] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.494] free (_Block=0x3df368) [0100.494] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="CSV", varVal2=0x0)) returned 0x0 [0100.494] malloc (_Size=0xc) returned 0x3df368 [0100.494] malloc (_Size=0xc) returned 0x3df380 [0100.495] SysStringLen (param_1="CSV") returned 0x3 [0100.495] SysStringLen (param_1="TABLE") returned 0x5 [0100.495] SysStringLen (param_1="CSV") returned 0x3 [0100.495] SysStringLen (param_1="LIST") returned 0x4 [0100.495] SysStringLen (param_1="CSV") returned 0x3 [0100.495] SysStringLen (param_1="HTABLE") returned 0x6 [0100.495] SysStringLen (param_1="CSV") returned 0x3 [0100.495] SysStringLen (param_1="HFORM") returned 0x5 [0100.495] malloc (_Size=0x18) returned 0x3de9c8 [0100.495] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.495] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.495] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.495] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=9, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.495] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="texttable.xsl") returned 0x0 [0100.495] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.495] malloc (_Size=0xc) returned 0x3df398 [0100.495] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.495] free (_Block=0x3df398) [0100.495] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0100.496] malloc (_Size=0xc) returned 0x3df398 [0100.496] malloc (_Size=0xc) returned 0x3df3b0 [0100.496] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.496] SysStringLen (param_1="TABLE") returned 0x5 [0100.496] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.496] SysStringLen (param_1="VALUE") returned 0x5 [0100.496] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.496] SysStringLen (param_1="XML") returned 0x3 [0100.496] SysStringLen (param_1="XML") returned 0x3 [0100.496] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.496] malloc (_Size=0x18) returned 0x3de9e8 [0100.496] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.496] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.496] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.496] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=10, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.496] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="texttable.xsl") returned 0x0 [0100.496] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.496] malloc (_Size=0xc) returned 0x3df3c8 [0100.496] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.496] free (_Block=0x3df3c8) [0100.497] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0100.497] malloc (_Size=0xc) returned 0x3df3c8 [0100.497] malloc (_Size=0xc) returned 0x3df3e0 [0100.497] SysStringLen (param_1="texttablewsys") returned 0xd [0100.497] SysStringLen (param_1="TABLE") returned 0x5 [0100.497] SysStringLen (param_1="texttablewsys") returned 0xd [0100.497] SysStringLen (param_1="XML") returned 0x3 [0100.497] SysStringLen (param_1="texttablewsys") returned 0xd [0100.497] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.497] SysStringLen (param_1="XML") returned 0x3 [0100.497] SysStringLen (param_1="texttablewsys") returned 0xd [0100.497] malloc (_Size=0x18) returned 0x3dea08 [0100.497] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.497] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.497] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.497] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=11, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.497] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="texttable.xsl") returned 0x0 [0100.497] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.497] malloc (_Size=0xc) returned 0x3df3f8 [0100.497] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.498] free (_Block=0x3df3f8) [0100.498] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0100.498] malloc (_Size=0xc) returned 0x3df3f8 [0100.498] malloc (_Size=0xc) returned 0x3df410 [0100.498] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.498] SysStringLen (param_1="TABLE") returned 0x5 [0100.498] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.498] SysStringLen (param_1="XML") returned 0x3 [0100.498] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.498] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.498] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.498] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.498] malloc (_Size=0x18) returned 0x3dea28 [0100.498] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.498] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.498] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.498] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=12, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.498] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="texttable.xsl") returned 0x0 [0100.498] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.498] malloc (_Size=0xc) returned 0x3df428 [0100.499] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.499] free (_Block=0x3df428) [0100.499] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0100.499] malloc (_Size=0xc) returned 0x3df428 [0100.499] malloc (_Size=0xc) returned 0x3df440 [0100.499] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.499] SysStringLen (param_1="TABLE") returned 0x5 [0100.499] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.499] SysStringLen (param_1="XML") returned 0x3 [0100.499] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.499] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.499] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.499] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.499] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.499] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.499] malloc (_Size=0x18) returned 0x3dea48 [0100.499] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.499] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.499] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.499] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=13, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.500] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="texttable.xsl") returned 0x0 [0100.500] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.500] malloc (_Size=0xc) returned 0x3df458 [0100.500] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.500] free (_Block=0x3df458) [0100.500] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0100.500] malloc (_Size=0xc) returned 0x3df458 [0100.500] malloc (_Size=0xc) returned 0x3df470 [0100.500] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.500] SysStringLen (param_1="TABLE") returned 0x5 [0100.500] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.500] SysStringLen (param_1="XML") returned 0x3 [0100.500] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.500] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.500] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.500] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.501] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.501] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.501] malloc (_Size=0x18) returned 0x3dea68 [0100.501] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.501] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.501] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.501] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=14, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.501] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="texttable.xsl") returned 0x0 [0100.501] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.501] malloc (_Size=0xc) returned 0x3df488 [0100.501] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.501] free (_Block=0x3df488) [0100.501] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0100.501] malloc (_Size=0xc) returned 0x3df488 [0100.501] malloc (_Size=0xc) returned 0x3df4a0 [0100.502] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.502] SysStringLen (param_1="TABLE") returned 0x5 [0100.502] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.502] SysStringLen (param_1="XML") returned 0x3 [0100.502] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.502] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.502] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.502] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.502] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.502] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.502] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.502] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0100.502] malloc (_Size=0x18) returned 0x3dea88 [0100.502] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.502] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.502] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.502] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=15, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.502] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="htable.xsl") returned 0x0 [0100.502] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.502] malloc (_Size=0xc) returned 0x3df4b8 [0100.502] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.503] free (_Block=0x3df4b8) [0100.503] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0100.503] malloc (_Size=0xc) returned 0x3df4b8 [0100.503] malloc (_Size=0xc) returned 0x3df4d0 [0100.503] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.503] SysStringLen (param_1="TABLE") returned 0x5 [0100.503] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.503] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.503] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.503] SysStringLen (param_1="XML") returned 0x3 [0100.503] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.503] SysStringLen (param_1="texttablewsys") returned 0xd [0100.503] SysStringLen (param_1="XML") returned 0x3 [0100.503] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.503] malloc (_Size=0x18) returned 0x3deaa8 [0100.503] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.503] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.503] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.503] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=16, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.503] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="htable.xsl") returned 0x0 [0100.503] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.504] malloc (_Size=0xc) returned 0x3df4e8 [0100.504] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.504] free (_Block=0x3df4e8) [0100.504] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0100.504] malloc (_Size=0xc) returned 0x3df4e8 [0100.504] malloc (_Size=0xc) returned 0x3df500 [0100.504] SysStringLen (param_1="htable-sortby") returned 0xd [0100.504] SysStringLen (param_1="TABLE") returned 0x5 [0100.504] SysStringLen (param_1="htable-sortby") returned 0xd [0100.504] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.504] SysStringLen (param_1="htable-sortby") returned 0xd [0100.504] SysStringLen (param_1="XML") returned 0x3 [0100.504] SysStringLen (param_1="htable-sortby") returned 0xd [0100.504] SysStringLen (param_1="texttablewsys") returned 0xd [0100.504] SysStringLen (param_1="htable-sortby") returned 0xd [0100.504] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0100.504] SysStringLen (param_1="XML") returned 0x3 [0100.504] SysStringLen (param_1="htable-sortby") returned 0xd [0100.504] malloc (_Size=0x18) returned 0x3deac8 [0100.504] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.505] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.505] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.505] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=17, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.505] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="mof.xsl") returned 0x0 [0100.505] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.505] malloc (_Size=0xc) returned 0x3df518 [0100.505] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.505] free (_Block=0x3df518) [0100.505] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0100.505] malloc (_Size=0xc) returned 0x3df518 [0100.505] malloc (_Size=0xc) returned 0x3df530 [0100.505] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.505] SysStringLen (param_1="TABLE") returned 0x5 [0100.505] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.505] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.505] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.505] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.505] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.505] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.505] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.506] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.506] malloc (_Size=0x18) returned 0x3deae8 [0100.506] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.506] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.506] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.506] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=18, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.506] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="mof.xsl") returned 0x0 [0100.506] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.506] malloc (_Size=0xc) returned 0x3df548 [0100.506] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.506] free (_Block=0x3df548) [0100.506] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0100.506] malloc (_Size=0xc) returned 0x3df548 [0100.506] malloc (_Size=0xc) returned 0x3df560 [0100.507] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.507] SysStringLen (param_1="TABLE") returned 0x5 [0100.507] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.507] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.507] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.507] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.507] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.507] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0100.507] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.507] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0100.507] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.507] SysStringLen (param_1="wmiclimofformat") returned 0xf [0100.507] malloc (_Size=0x18) returned 0x3deb08 [0100.507] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.507] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.507] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.507] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=19, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.507] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="textvaluelist.xsl") returned 0x0 [0100.507] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.507] malloc (_Size=0xc) returned 0x3df578 [0100.508] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.508] free (_Block=0x3df578) [0100.508] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0100.508] malloc (_Size=0xc) returned 0x3df578 [0100.508] malloc (_Size=0xc) returned 0x3df590 [0100.508] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.508] SysStringLen (param_1="TABLE") returned 0x5 [0100.508] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.508] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.508] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.508] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.508] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.508] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.508] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.508] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.508] malloc (_Size=0x18) returned 0x3deb28 [0100.508] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.508] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.508] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.508] IXMLDOMNodeList:get_item (in: This=0x2298e80, index=20, listItem=0x25f8b8 | out: listItem=0x25f8b8*=0x2294b20) returned 0x0 [0100.509] IXMLDOMNode:get_text (in: This=0x2294b20, text=0x25f8c0 | out: text=0x25f8c0*="textvaluelist.xsl") returned 0x0 [0100.509] IXMLDOMNode:get_attributes (in: This=0x2294b20, attributeMap=0x25f8b4 | out: attributeMap=0x25f8b4*=0x2298cf8) returned 0x0 [0100.509] malloc (_Size=0xc) returned 0x3df5a8 [0100.509] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2298cf8, name="KEYWORD", namedItem=0x25f8b0 | out: namedItem=0x25f8b0*=0x2298c98) returned 0x0 [0100.510] free (_Block=0x3df5a8) [0100.510] IXMLDOMNode:get_nodeValue (in: This=0x2298c98, value=0x25f85c | out: value=0x25f85c*(varType=0x8, wReserved1=0x3d, wReserved2=0x2e98, wReserved3=0x3d, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0100.510] malloc (_Size=0xc) returned 0x3df5a8 [0100.510] malloc (_Size=0xc) returned 0x3df5c0 [0100.510] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.510] SysStringLen (param_1="TABLE") returned 0x5 [0100.511] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.511] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0100.511] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.511] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0100.511] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.511] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.511] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.511] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0100.511] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0100.511] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0100.511] malloc (_Size=0x18) returned 0x3deb48 [0100.511] IUnknown:Release (This=0x2294b20) returned 0x0 [0100.511] IUnknown:Release (This=0x2298cf8) returned 0x0 [0100.511] IUnknown:Release (This=0x2298c98) returned 0x0 [0100.511] IUnknown:Release (This=0x2298e80) returned 0x0 [0100.511] FreeThreadedDOMDocument:IUnknown:Release (This=0x2298c58) returned 0x1 [0100.511] FreeThreadedDOMDocument:IUnknown:Release (This=0x2294630) returned 0x0 [0100.511] free (_Block=0x3d2eb0) [0100.511] GetCommandLineW () returned="wmic.exe SHADOWCOPY /nointeractive" [0100.511] malloc (_Size=0x50) returned 0x3df630 [0100.511] memcpy_s (in: _Destination=0x3df630, _DestinationSize=0x4e, _Source=0x7c19a6, _SourceSize=0x44 | out: _Destination=0x3df630) returned 0x0 [0100.511] malloc (_Size=0xc) returned 0x3df5d8 [0100.512] malloc (_Size=0xc) returned 0x3df5f0 [0100.512] malloc (_Size=0xc) returned 0x3df608 [0100.512] malloc (_Size=0xc) returned 0x3df6a0 [0100.512] malloc (_Size=0x80) returned 0x2120390 [0100.512] GetLocalTime (in: lpSystemTime=0x25f868 | out: lpSystemTime=0x25f868*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x12, wMinute=0xf, wSecond=0x14, wMilliseconds=0x1da)) [0100.512] _vsnwprintf (in: _Buffer=0x2120390, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x25f848 | out: _Buffer="12-27-2021T18:15:20") returned 19 [0100.512] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0100.512] malloc (_Size=0x36) returned 0x3d3170 [0100.512] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0100.512] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0100.512] malloc (_Size=0x36) returned 0x3dfa88 [0100.512] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0100.512] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0100.512] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0100.512] malloc (_Size=0x16) returned 0x3deb68 [0100.512] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.512] _wcsicmp (_String1="SHADOWCOPY", _String2="\"NULL\"") returned 81 [0100.512] malloc (_Size=0x16) returned 0x3deb88 [0100.512] malloc (_Size=0x4) returned 0x3d2eb0 [0100.512] free (_Block=0x0) [0100.512] free (_Block=0x3deb68) [0100.512] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0100.512] malloc (_Size=0x4) returned 0x3dfac8 [0100.512] lstrlenW (lpString="/") returned 1 [0100.512] malloc (_Size=0x4) returned 0x3dfad8 [0100.512] malloc (_Size=0x8) returned 0x3dfae8 [0100.512] memmove_s (in: _Destination=0x3dfae8, _DestinationSize=0x4, _Source=0x3d2eb0, _SourceSize=0x4 | out: _Destination=0x3dfae8) returned 0x0 [0100.512] free (_Block=0x3d2eb0) [0100.512] free (_Block=0x0) [0100.513] free (_Block=0x3dfac8) [0100.513] lstrlenW (lpString=" SHADOWCOPY /nointeractive") returned 26 [0100.513] malloc (_Size=0x1c) returned 0x3dfaf8 [0100.513] lstrlenW (lpString="nointeractive") returned 13 [0100.513] _wcsicmp (_String1="nointeractive", _String2="\"NULL\"") returned 76 [0100.513] malloc (_Size=0x1c) returned 0x3dfb20 [0100.513] malloc (_Size=0xc) returned 0x3df6b8 [0100.513] memmove_s (in: _Destination=0x3df6b8, _DestinationSize=0x8, _Source=0x3dfae8, _SourceSize=0x8 | out: _Destination=0x3df6b8) returned 0x0 [0100.513] free (_Block=0x3dfae8) [0100.513] free (_Block=0x0) [0100.513] free (_Block=0x3dfaf8) [0100.513] malloc (_Size=0xc) returned 0x3df6d0 [0100.513] lstrlenW (lpString="QUIT") returned 4 [0100.513] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.513] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0100.513] lstrlenW (lpString="EXIT") returned 4 [0100.513] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.513] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0100.513] free (_Block=0x3df6d0) [0100.513] WbemLocator:IUnknown:AddRef (This=0x7e0b20) returned 0x2 [0100.513] malloc (_Size=0xc) returned 0x3df6d0 [0100.513] lstrlenW (lpString="/") returned 1 [0100.513] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.513] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0100.513] lstrlenW (lpString="-") returned 1 [0100.513] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.513] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0100.513] lstrlenW (lpString="CLASS") returned 5 [0100.513] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.513] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0100.513] lstrlenW (lpString="PATH") returned 4 [0100.513] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0100.514] lstrlenW (lpString="CONTEXT") returned 7 [0100.514] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.514] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0100.514] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.514] malloc (_Size=0x16) returned 0x3deb68 [0100.514] lstrlenW (lpString="SHADOWCOPY") returned 10 [0100.514] GetCurrentThreadId () returned 0x8d0 [0100.514] ??0CHString@@QAE@XZ () returned 0x25f7bc [0100.514] malloc (_Size=0xc) returned 0x3df6e8 [0100.514] malloc (_Size=0xc) returned 0x3df700 [0100.514] WbemLocator:IWbemLocator:ConnectServer (in: This=0x7e0b20, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x5ec1e0 | out: ppNamespace=0x5ec1e0*=0x7fd3e8) returned 0x0 [0100.596] free (_Block=0x3df700) [0100.596] free (_Block=0x3df6e8) [0100.597] CoSetProxyBlanket (pProxy=0x7fd3e8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0100.597] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.597] GetCurrentThreadId () returned 0x8d0 [0100.597] ??0CHString@@QAE@XZ () returned 0x25f754 [0100.597] malloc (_Size=0xc) returned 0x3df6e8 [0100.597] malloc (_Size=0xc) returned 0x3df700 [0100.597] malloc (_Size=0xc) returned 0x3df718 [0100.597] malloc (_Size=0xc) returned 0x3df730 [0100.597] SysStringLen (param_1="root\\cli") returned 0x8 [0100.597] SysStringLen (param_1="\\") returned 0x1 [0100.597] malloc (_Size=0xc) returned 0x3df748 [0100.597] SysStringLen (param_1="root\\cli\\") returned 0x9 [0100.597] SysStringLen (param_1="ms_409") returned 0x6 [0100.598] free (_Block=0x3df730) [0100.598] free (_Block=0x3df718) [0100.598] free (_Block=0x3df700) [0100.598] free (_Block=0x3df6e8) [0100.598] malloc (_Size=0xc) returned 0x3df6e8 [0100.598] WbemLocator:IWbemLocator:ConnectServer (in: This=0x7e0b20, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x5ec1e4 | out: ppNamespace=0x5ec1e4*=0x7fd488) returned 0x0 [0100.604] free (_Block=0x3df6e8) [0100.604] free (_Block=0x3df748) [0100.604] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.604] GetCurrentThreadId () returned 0x8d0 [0100.604] ??0CHString@@QAE@XZ () returned 0x25f7c0 [0100.604] malloc (_Size=0xc) returned 0x3df748 [0100.604] malloc (_Size=0xc) returned 0x3df6e8 [0100.604] malloc (_Size=0xc) returned 0x3df700 [0100.604] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0100.604] malloc (_Size=0x3a) returned 0x3dff88 [0100.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x5a1f7c, cbMultiByte=-1, lpWideCharStr=0x3dff88, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0100.605] free (_Block=0x3dff88) [0100.605] malloc (_Size=0xc) returned 0x3df718 [0100.605] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0100.605] SysStringLen (param_1="SHADOWCOPY") returned 0xa [0100.605] malloc (_Size=0xc) returned 0x3df730 [0100.605] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='SHADOWCOPY") returned 0x26 [0100.605] SysStringLen (param_1="'") returned 0x1 [0100.605] free (_Block=0x3df718) [0100.605] free (_Block=0x3df700) [0100.606] free (_Block=0x3df6e8) [0100.606] free (_Block=0x3df748) [0100.606] IWbemServices:GetObject (in: This=0x7fd3e8, strObjectPath="MSFT_CliAlias.FriendlyName='SHADOWCOPY'", lFlags=0, pCtx=0x0, ppObject=0x25f7bc*=0x0, ppCallResult=0x0 | out: ppObject=0x25f7bc*=0x82bdd0, ppCallResult=0x0) returned 0x0 [0100.613] malloc (_Size=0xc) returned 0x3df748 [0100.613] IWbemClassObject:Get (in: This=0x82bdd0, wszName="Target", lFlags=0, pVal=0x25f77c*(varType=0x0, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x5d, varVal1=0xffffffff, varVal2=0x5aa03c), pType=0x0, plFlavor=0x0 | out: pVal=0x25f77c*(varType=0x8, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x5d, varVal1="Select * from Win32_ShadowCopy", varVal2=0x5aa03c), pType=0x0, plFlavor=0x0) returned 0x0 [0100.613] free (_Block=0x3df748) [0100.613] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0100.613] malloc (_Size=0x3e) returned 0x3dff88 [0100.613] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0100.613] malloc (_Size=0xc) returned 0x3df748 [0100.613] IWbemClassObject:Get (in: This=0x82bdd0, wszName="PWhere", lFlags=0, pVal=0x25f77c*(varType=0x0, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x5d, varVal1=0x7faf74, varVal2=0x5aa03c), pType=0x0, plFlavor=0x0 | out: pVal=0x25f77c*(varType=0x8, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x5d, varVal1=" Where ID = '#'", varVal2=0x5aa03c), pType=0x0, plFlavor=0x0) returned 0x0 [0100.614] free (_Block=0x3df748) [0100.614] lstrlenW (lpString=" Where ID = '#'") returned 15 [0100.614] malloc (_Size=0x20) returned 0x3dfae8 [0100.614] lstrlenW (lpString=" Where ID = '#'") returned 15 [0100.614] malloc (_Size=0xc) returned 0x3df748 [0100.614] IWbemClassObject:Get (in: This=0x82bdd0, wszName="Connection", lFlags=0, pVal=0x25f77c*(varType=0x0, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x5d, varVal1=0x814a1c, varVal2=0x5aa03c), pType=0x0, plFlavor=0x0 | out: pVal=0x25f77c*(varType=0xd, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x5d, varVal1=0x82c190, varVal2=0x5aa03c), pType=0x0, plFlavor=0x0) returned 0x0 [0100.614] free (_Block=0x3df748) [0100.614] IUnknown:QueryInterface (in: This=0x82c190, riid=0x5a6b50*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x25f7b4 | out: ppvObject=0x25f7b4*=0x82c190) returned 0x0 [0100.614] GetCurrentThreadId () returned 0x8d0 [0100.614] ??0CHString@@QAE@XZ () returned 0x25f730 [0100.614] malloc (_Size=0xc) returned 0x3df748 [0100.614] IWbemClassObject:Get (in: This=0x82c190, wszName="Namespace", lFlags=0, pVal=0x25f700*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f700*(varType=0x8, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.614] free (_Block=0x3df748) [0100.614] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0100.614] malloc (_Size=0x16) returned 0x3deba8 [0100.614] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0100.614] malloc (_Size=0xc) returned 0x3df748 [0100.615] IWbemClassObject:Get (in: This=0x82c190, wszName="Locale", lFlags=0, pVal=0x25f700*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=0x8107ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f700*(varType=0x8, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.615] free (_Block=0x3df748) [0100.615] lstrlenW (lpString="ms_409") returned 6 [0100.615] malloc (_Size=0xe) returned 0x3df748 [0100.615] lstrlenW (lpString="ms_409") returned 6 [0100.615] malloc (_Size=0xc) returned 0x3df6e8 [0100.615] IWbemClassObject:Get (in: This=0x82c190, wszName="User", lFlags=0, pVal=0x25f700*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=0x8107ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f700*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=0x8107ec, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.615] free (_Block=0x3df6e8) [0100.615] malloc (_Size=0xc) returned 0x3df6e8 [0100.615] IWbemClassObject:Get (in: This=0x82c190, wszName="Password", lFlags=0, pVal=0x25f700*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=0x8107ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f700*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=0x8107ec, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.615] free (_Block=0x3df6e8) [0100.615] malloc (_Size=0xc) returned 0x3df6e8 [0100.615] IWbemClassObject:Get (in: This=0x82c190, wszName="Server", lFlags=0, pVal=0x25f700*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=0x8107ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f700*(varType=0x8, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.615] free (_Block=0x3df6e8) [0100.615] lstrlenW (lpString=".") returned 1 [0100.615] malloc (_Size=0x4) returned 0x3dfb10 [0100.615] lstrlenW (lpString=".") returned 1 [0100.615] malloc (_Size=0xc) returned 0x3df6e8 [0100.615] IWbemClassObject:Get (in: This=0x82c190, wszName="Authority", lFlags=0, pVal=0x25f700*(varType=0x0, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=0x8107ec, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f700*(varType=0x1, wReserved1=0x0, wReserved2=0xf748, wReserved3=0x3d, varVal1=0x8107ec, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.616] free (_Block=0x3df6e8) [0100.616] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.616] IUnknown:Release (This=0x82c190) returned 0x1 [0100.616] GetCurrentThreadId () returned 0x8d0 [0100.616] ??0CHString@@QAE@XZ () returned 0x25f728 [0100.616] malloc (_Size=0xc) returned 0x3df6e8 [0100.616] IWbemClassObject:Get (in: This=0x82bdd0, wszName="__RELPATH", lFlags=0, pVal=0x25f708*(varType=0x0, wReserved1=0x0, wReserved2=0xc190, wReserved3=0x82, varVal1=0x25f720, varVal2=0x72a3ba69), pType=0x0, plFlavor=0x0 | out: pVal=0x25f708*(varType=0x8, wReserved1=0x0, wReserved2=0xc190, wReserved3=0x82, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x72a3ba69), pType=0x0, plFlavor=0x0) returned 0x0 [0100.616] free (_Block=0x3df6e8) [0100.616] malloc (_Size=0xc) returned 0x3df6e8 [0100.616] GetCurrentThreadId () returned 0x8d0 [0100.616] ??0CHString@@QAE@XZ () returned 0x25f6b8 [0100.616] ??0CHString@@QAE@PBG@Z () returned 0x25f6a4 [0100.616] ??0CHString@@QAE@ABV0@@Z () returned 0x25f644 [0100.616] ?Empty@CHString@@QAEXXZ () returned 0x72b9d828 [0100.616] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x2122268 [0100.616] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0100.616] ?Left@CHString@@QBE?AV1@H@Z () returned 0x25f624 [0100.616] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x25f628 [0100.616] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x25f6a4 [0100.617] ??1CHString@@QAE@XZ () returned 0x1 [0100.617] ??1CHString@@QAE@XZ () returned 0x1 [0100.617] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x25f620 [0100.617] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x25f644 [0100.617] ??1CHString@@QAE@XZ () returned 0x21222d0 [0100.617] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x21222d0 [0100.617] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0100.617] ?Left@CHString@@QBE?AV1@H@Z () returned 0x25f624 [0100.617] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x25f628 [0100.617] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x25f6a4 [0100.617] ??1CHString@@QAE@XZ () returned 0x1 [0100.617] ??1CHString@@QAE@XZ () returned 0x1 [0100.617] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x25f620 [0100.617] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x25f644 [0100.617] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.617] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x72b9d81c [0100.617] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.617] malloc (_Size=0xc) returned 0x3df700 [0100.617] malloc (_Size=0xc) returned 0x3df718 [0100.617] malloc (_Size=0xc) returned 0x3df760 [0100.617] malloc (_Size=0xc) returned 0x3df778 [0100.617] malloc (_Size=0xc) returned 0x3df790 [0100.617] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0100.617] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0100.617] malloc (_Size=0xc) returned 0x3df7a8 [0100.617] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0100.617] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0100.618] malloc (_Size=0xc) returned 0x3df7c0 [0100.618] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0100.618] SysStringLen (param_1="\"") returned 0x1 [0100.618] free (_Block=0x3df7a8) [0100.618] free (_Block=0x3df790) [0100.618] free (_Block=0x3df778) [0100.618] free (_Block=0x3df760) [0100.618] free (_Block=0x3df718) [0100.618] free (_Block=0x3df700) [0100.618] IWbemServices:GetObject (in: This=0x7fd488, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x25f6c0*=0x0, ppCallResult=0x0 | out: ppObject=0x25f6c0*=0x82c570, ppCallResult=0x0) returned 0x0 [0100.620] malloc (_Size=0xc) returned 0x3df700 [0100.620] IWbemClassObject:Get (in: This=0x82c570, wszName="Text", lFlags=0, pVal=0x25f66c*(varType=0x0, wReserved1=0x7f, wReserved2=0x41ec, wReserved3=0x7e, varVal1=0x4e, varVal2=0x5ec1e0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f66c*(varType=0x2008, wReserved1=0x7f, wReserved2=0x41ec, wReserved3=0x7e, varVal1=0x82c730*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x8179f0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x5ec1e0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.620] free (_Block=0x3df700) [0100.620] SafeArrayGetLBound (in: psa=0x82c730, nDim=0x1, plLbound=0x25f684 | out: plLbound=0x25f684) returned 0x0 [0100.620] SafeArrayGetUBound (in: psa=0x82c730, nDim=0x1, plUbound=0x25f680 | out: plUbound=0x25f680) returned 0x0 [0100.620] SafeArrayGetElement (in: psa=0x82c730, rgIndices=0x25f6e4, pv=0x25f6ac | out: pv=0x25f6ac) returned 0x0 [0100.620] malloc (_Size=0xc) returned 0x3df700 [0100.620] malloc (_Size=0xc) returned 0x3df718 [0100.620] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0100.620] free (_Block=0x3df700) [0100.621] IUnknown:Release (This=0x82c570) returned 0x0 [0100.621] free (_Block=0x3df7c0) [0100.621] ??1CHString@@QAE@XZ () returned 0x1 [0100.621] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.621] free (_Block=0x3df6e8) [0100.621] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.621] lstrlenW (lpString="Shadow copy management.") returned 23 [0100.621] malloc (_Size=0x30) returned 0x2122268 [0100.621] lstrlenW (lpString="Shadow copy management.") returned 23 [0100.621] free (_Block=0x3df718) [0100.621] IUnknown:Release (This=0x82bdd0) returned 0x0 [0100.621] free (_Block=0x3df730) [0100.621] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.621] lstrlenW (lpString="PATH") returned 4 [0100.621] lstrlenW (lpString="/") returned 1 [0100.621] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="PATH", cchCount2=4) returned 1 [0100.621] lstrlenW (lpString="WHERE") returned 5 [0100.621] lstrlenW (lpString="/") returned 1 [0100.621] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="WHERE", cchCount2=5) returned 1 [0100.621] lstrlenW (lpString="(") returned 1 [0100.621] lstrlenW (lpString="/") returned 1 [0100.621] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="(", cchCount2=1) returned 3 [0100.621] lstrlenW (lpString="/") returned 1 [0100.621] lstrlenW (lpString="/") returned 1 [0100.621] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="/", cchCount1=1, lpString2="/", cchCount2=1) returned 2 [0100.622] lstrlenW (lpString="?") returned 1 [0100.622] lstrlenW (lpString="nointeractive") returned 13 [0100.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="nointeractive", cchCount1=13, lpString2="?", cchCount2=1) returned 3 [0100.622] free (_Block=0x3df6d0) [0100.622] GetCurrentThreadId () returned 0x8d0 [0100.622] ??0CHString@@QAE@PBG@Z () returned 0x25f85c [0100.622] ??YCHString@@QAEABV0@PBG@Z () returned 0x25f85c [0100.622] malloc (_Size=0x800) returned 0x2122328 [0100.622] LoadStringW (in: hInstance=0x0, uID=0xac5c, lpBuffer=0x2122328, cchBufferMax=1024 | out: lpBuffer="Unexpected switch at this level.\r\n") returned 0x22 [0100.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Unexpected switch at this level.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0100.622] malloc (_Size=0x23) returned 0x2122b30 [0100.622] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Unexpected switch at this level.\r\n", cchWideChar=-1, lpMultiByteStr=0x2122b30, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Unexpected switch at this level.\r\n", lpUsedDefaultChar=0x0) returned 35 [0100.622] fprintf (in: _File=0x76d62940, _Format="%s" | out: _File=0x76d62940) returned 34 [0100.623] fflush (in: _File=0x76d62940 | out: _File=0x76d62940) returned 0 [0100.624] free (_Block=0x2122b30) [0100.624] free (_Block=0x2122328) [0100.624] ??1CHString@@QAE@XZ () returned 0x1 [0100.624] ??0CHString@@QAE@PBG@Z () returned 0x25f87c [0100.624] ??YCHString@@QAEABV0@PBG@Z () returned 0x25f87c [0100.624] GetCurrentThreadId () returned 0x8d0 [0100.624] GetLastError () returned 0x0 [0100.624] ??1CHString@@QAE@XZ () returned 0x1 [0100.624] free (_Block=0x3df6a0) [0100.624] free (_Block=0x3df608) [0100.624] free (_Block=0x3df5f0) [0100.624] free (_Block=0x3df5d8) [0100.625] free (_Block=0x3d3170) [0100.625] free (_Block=0x3deb68) [0100.625] free (_Block=0x2122268) [0100.625] free (_Block=0x3dff88) [0100.625] free (_Block=0x3df748) [0100.625] free (_Block=0x3deba8) [0100.625] free (_Block=0x3dfb10) [0100.625] free (_Block=0x3d2e38) [0100.626] free (_Block=0x3dfae8) [0100.626] ?Empty@CHString@@QAEXXZ () returned 0x72b9d81c [0100.626] free (_Block=0x3dfa88) [0100.626] free (_Block=0x3deb88) [0100.626] free (_Block=0x3dfad8) [0100.626] free (_Block=0x3dfb20) [0100.626] free (_Block=0x3d3f68) [0100.626] free (_Block=0x3d2728) [0100.627] free (_Block=0x3d2770) [0100.627] free (_Block=0x3d27b8) [0100.627] free (_Block=0x3d2810) [0100.627] free (_Block=0x3d2e20) [0100.627] free (_Block=0x3de8a8) [0100.627] free (_Block=0x3d2e08) [0100.627] free (_Block=0x3de888) [0100.627] free (_Block=0x3d29f0) [0100.627] free (_Block=0x3de868) [0100.627] free (_Block=0x3d2948) [0100.627] free (_Block=0x3d2960) [0100.627] free (_Block=0x3d2910) [0100.627] free (_Block=0x3d2928) [0100.628] free (_Block=0x3d2980) [0100.628] free (_Block=0x3d2998) [0100.628] free (_Block=0x3d29b8) [0100.628] free (_Block=0x3d29d0) [0100.628] free (_Block=0x3d28a0) [0100.628] free (_Block=0x3d28b8) [0100.628] free (_Block=0x3d2868) [0100.628] free (_Block=0x3d2880) [0100.628] free (_Block=0x3d28d8) [0100.628] free (_Block=0x3d28f0) [0100.628] free (_Block=0x3d2830) [0100.628] free (_Block=0x3d2848) [0100.628] free (_Block=0x3d27d8) [0100.629] free (_Block=0x3d3fb0) [0100.629] free (_Block=0x2120390) [0100.629] WbemLocator:IUnknown:Release (This=0x7fd488) returned 0x0 [0100.630] WbemLocator:IUnknown:Release (This=0x7fd3e8) returned 0x0 [0100.630] WbemLocator:IUnknown:Release (This=0x7e0b20) returned 0x1 [0100.630] ?Empty@CHString@@QAEXXZ () returned 0x72b9d81c [0100.630] WbemLocator:IUnknown:Release (This=0x7e0b20) returned 0x0 [0100.630] free (_Block=0x3df578) [0100.630] free (_Block=0x3df590) [0100.630] free (_Block=0x3deb28) [0100.630] free (_Block=0x3df5a8) [0100.630] free (_Block=0x3df5c0) [0100.630] free (_Block=0x3deb48) [0100.631] free (_Block=0x3df458) [0100.631] free (_Block=0x3df470) [0100.631] free (_Block=0x3dea68) [0100.631] free (_Block=0x3df488) [0100.631] free (_Block=0x3df4a0) [0100.631] free (_Block=0x3dea88) [0100.631] free (_Block=0x3df3f8) [0100.631] free (_Block=0x3df410) [0100.631] free (_Block=0x3dea28) [0100.631] free (_Block=0x3df428) [0100.631] free (_Block=0x3df440) [0100.631] free (_Block=0x3dea48) [0100.631] free (_Block=0x3df518) [0100.631] free (_Block=0x3df530) [0100.631] free (_Block=0x3deae8) [0100.632] free (_Block=0x3df548) [0100.632] free (_Block=0x3df560) [0100.632] free (_Block=0x3deb08) [0100.632] free (_Block=0x3df398) [0100.632] free (_Block=0x3df3b0) [0100.632] free (_Block=0x3de9e8) [0100.632] free (_Block=0x3df3c8) [0100.632] free (_Block=0x3df3e0) [0100.632] free (_Block=0x3dea08) [0100.632] free (_Block=0x3df4b8) [0100.632] free (_Block=0x3df4d0) [0100.632] free (_Block=0x3deaa8) [0100.632] free (_Block=0x3df4e8) [0100.632] free (_Block=0x3df500) [0100.632] free (_Block=0x3deac8) [0100.633] free (_Block=0x3df308) [0100.633] free (_Block=0x3df320) [0100.633] free (_Block=0x3de988) [0100.633] free (_Block=0x3d3140) [0100.633] free (_Block=0x3d3158) [0100.633] free (_Block=0x3de8e8) [0100.633] free (_Block=0x3d2e80) [0100.633] free (_Block=0x3d2e98) [0100.633] free (_Block=0x3de8c8) [0100.633] free (_Block=0x3df278) [0100.633] free (_Block=0x3df290) [0100.633] free (_Block=0x3de928) [0100.633] free (_Block=0x3df338) [0100.633] free (_Block=0x3df350) [0100.633] free (_Block=0x3de9a8) [0100.633] free (_Block=0x3df248) [0100.634] free (_Block=0x3df260) [0100.634] free (_Block=0x3de908) [0100.634] free (_Block=0x3df2a8) [0100.634] free (_Block=0x3df2c0) [0100.634] free (_Block=0x3de948) [0100.634] free (_Block=0x3df2d8) [0100.635] free (_Block=0x3df2f0) [0100.635] free (_Block=0x3de968) [0100.635] free (_Block=0x3df368) [0100.635] free (_Block=0x3df380) [0100.635] free (_Block=0x3de9c8) [0100.635] CoUninitialize () [0100.661] exit (_Code=44124) [0100.662] free (_Block=0x3df630) [0100.662] free (_Block=0x3d3e38) [0100.662] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.662] free (_Block=0x3d2f58) [0100.662] free (_Block=0x3d3fd8) [0100.662] free (_Block=0x3d3e18) [0100.662] free (_Block=0x3d3df8) [0100.663] free (_Block=0x3d3dc8) [0100.663] free (_Block=0x3d3da8) [0100.663] free (_Block=0x3d13d8) [0100.663] free (_Block=0x3d3d68) [0100.663] free (_Block=0x3d13b8) [0100.663] ??1CHString@@QAE@XZ () returned 0x72b9d81c [0100.663] free (_Block=0x3df6b8) Thread: id = 122 os_tid = 0x8d8 Thread: id = 123 os_tid = 0xaec Thread: id = 124 os_tid = 0xac0 Thread: id = 125 os_tid = 0x910 Process: id = "12" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x43938000" os_pid = "0xb50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xae4" cmd_line = "vssadmin.exe Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2364 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2365 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2366 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2367 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2368 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2369 start_va = 0xf0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2370 start_va = 0x260000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2371 start_va = 0xd90000 end_va = 0xdaefff monitored = 0 entry_point = 0xda1f03 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe") Region: id = 2372 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2373 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2374 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2375 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2376 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2377 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2378 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2379 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2380 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2381 start_va = 0x3d0000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2382 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2383 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2384 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2385 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 2386 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 2387 start_va = 0x450000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 2388 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2389 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2390 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2391 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2392 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2393 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2394 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2395 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2396 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2397 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2398 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2399 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2400 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2401 start_va = 0x72b90000 end_va = 0x72ba3fff monitored = 0 entry_point = 0x72b91da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 2402 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2403 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2404 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2405 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2406 start_va = 0x72b80000 end_va = 0x72b8ffff monitored = 0 entry_point = 0x72b81270 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll") Region: id = 2407 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2408 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2409 start_va = 0x72a60000 end_va = 0x72b75fff monitored = 0 entry_point = 0x72a61590 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll") Region: id = 2410 start_va = 0x130000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 2411 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 2412 start_va = 0x130000 end_va = 0x14dfff monitored = 0 entry_point = 0x14158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2413 start_va = 0x1c0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2414 start_va = 0x130000 end_va = 0x14dfff monitored = 0 entry_point = 0x14158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2415 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2416 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2417 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 2418 start_va = 0xdb0000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 2419 start_va = 0x30000 end_va = 0x3cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui") Region: id = 2420 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2421 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 2422 start_va = 0x220000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 2423 start_va = 0x310000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2424 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2425 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2426 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2427 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 2428 start_va = 0x2d0000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 2429 start_va = 0x510000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2430 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2431 start_va = 0x742b0000 end_va = 0x742c6fff monitored = 0 entry_point = 0x742b3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2432 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 2433 start_va = 0x160000 end_va = 0x19bfff monitored = 0 entry_point = 0x16128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2434 start_va = 0x160000 end_va = 0x19bfff monitored = 0 entry_point = 0x16128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2435 start_va = 0x160000 end_va = 0x19bfff monitored = 0 entry_point = 0x16128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2436 start_va = 0x160000 end_va = 0x19bfff monitored = 0 entry_point = 0x16128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2437 start_va = 0x160000 end_va = 0x19bfff monitored = 0 entry_point = 0x16128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2438 start_va = 0x74270000 end_va = 0x742aafff monitored = 0 entry_point = 0x7427128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2439 start_va = 0x9a0000 end_va = 0xc6efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2440 start_va = 0x743e0000 end_va = 0x743edfff monitored = 0 entry_point = 0x743e1235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 2441 start_va = 0x470000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 2442 start_va = 0x21d0000 end_va = 0x220ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 2443 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 2444 start_va = 0x180000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2445 start_va = 0xce0000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 2446 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 2447 start_va = 0x2210000 end_va = 0x22cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2448 start_va = 0x350000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 2449 start_va = 0x160000 end_va = 0x167fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vsstrace.dll.mui") Thread: id = 126 os_tid = 0xad0 Thread: id = 127 os_tid = 0x914 Thread: id = 128 os_tid = 0x890 Thread: id = 129 os_tid = 0x77c Thread: id = 130 os_tid = 0x8fc Process: id = "13" image_name = "taskeng.exe" filename = "c:\\windows\\system32\\taskeng.exe" page_root = "0x3f599000" os_pid = "0xa34" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x360" cmd_line = "taskeng.exe {0E924911-1BE7-4516-AAE9-9100E7E91DAF} S-1-5-21-4219442223-4223814209-3835049652-1000:Q9IATRKPRH\\kEecfMwgj:Interactive:LUA[1]" cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2598 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2599 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2600 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2601 start_va = 0x150000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2602 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2603 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2604 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2605 start_va = 0xff1e0000 end_va = 0xff253fff monitored = 0 entry_point = 0xff1ef44c region_type = mapped_file name = "taskeng.exe" filename = "\\Windows\\System32\\taskeng.exe" (normalized: "c:\\windows\\system32\\taskeng.exe") Region: id = 2606 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2607 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2608 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2609 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2611 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2612 start_va = 0x330000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2613 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2614 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2615 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2616 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2617 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2618 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2619 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2620 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2621 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2622 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2623 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2624 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2625 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2626 start_va = 0x7fef8ee0000 end_va = 0x7fef8ee9fff monitored = 0 entry_point = 0x7fef8ee260c region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 2627 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2628 start_va = 0x430000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 2629 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2632 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2633 start_va = 0x5c0000 end_va = 0x747fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 2634 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2635 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2636 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2637 start_va = 0x750000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 2638 start_va = 0x8e0000 end_va = 0x1cdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 2639 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskeng.exe.mui" filename = "\\Windows\\System32\\en-US\\TaskEng.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskeng.exe.mui") Region: id = 2641 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2642 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2643 start_va = 0x430000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 2644 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 2645 start_va = 0x430000 end_va = 0x4acfff monitored = 0 entry_point = 0x43cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2646 start_va = 0x4e0000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2647 start_va = 0x430000 end_va = 0x4acfff monitored = 0 entry_point = 0x43cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2648 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2649 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2652 start_va = 0x1e00000 end_va = 0x1e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 2653 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2654 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2655 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2656 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2657 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2658 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2659 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2660 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2661 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2662 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2664 start_va = 0x1ed0000 end_va = 0x1f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 2665 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2667 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2668 start_va = 0x1ce0000 end_va = 0x1ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 2669 start_va = 0x1ff0000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 2670 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2671 start_va = 0x2070000 end_va = 0x233efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2672 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2675 start_va = 0x1f50000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 2676 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2677 start_va = 0x23c0000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 2678 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2679 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2680 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2681 start_va = 0x7fef8080000 end_va = 0x7fef8088fff monitored = 0 entry_point = 0x7fef80811a0 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 2685 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2686 start_va = 0x2440000 end_va = 0x256ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 2687 start_va = 0x7fefbc00000 end_va = 0x7fefbc34fff monitored = 0 entry_point = 0x7fefbc01064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2689 start_va = 0x2580000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 2690 start_va = 0x2600000 end_va = 0x26defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002600000" filename = "" Region: id = 2691 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2692 start_va = 0x7fefbc40000 end_va = 0x7fefbc57fff monitored = 0 entry_point = 0x7fefbc41130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2918 start_va = 0x430000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 2919 start_va = 0x26e0000 end_va = 0x300ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Thread: id = 132 os_tid = 0xa28 Thread: id = 133 os_tid = 0xa2c Thread: id = 134 os_tid = 0xa30 Thread: id = 135 os_tid = 0xa24 Thread: id = 136 os_tid = 0xa20 Thread: id = 137 os_tid = 0xadc Thread: id = 138 os_tid = 0x4a4 Process: id = "14" image_name = "avaddon_09_06_2020_1054kb.exe" filename = "c:\\users\\keecfmwgj\\appdata\\roaming\\avaddon_09_06_2020_1054kb.exe" page_root = "0x3d9c1000" os_pid = "0xad8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0xa34" cmd_line = "C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe " cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2842 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2843 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2844 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2845 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2846 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 2847 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 2848 start_va = 0x210000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2849 start_va = 0x3d0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2850 start_va = 0x11f0000 end_va = 0x12f9fff monitored = 1 entry_point = 0x12381c7 region_type = mapped_file name = "avaddon_09_06_2020_1054kb.exe" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\avaddon_09_06_2020_1054kb.exe") Region: id = 2851 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2852 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2853 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2854 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2855 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2856 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2857 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2858 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2859 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2860 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2861 start_va = 0x680000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 2862 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2863 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2864 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2865 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2866 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2867 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2868 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 2869 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2870 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 2871 start_va = 0x700000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 2872 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2873 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2875 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2876 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2877 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2878 start_va = 0x250000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2879 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2880 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2881 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2882 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2883 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2884 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2885 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2886 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2887 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2888 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2889 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2890 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2891 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2892 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2893 start_va = 0x753f0000 end_va = 0x75401fff monitored = 0 entry_point = 0x753f1200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 2894 start_va = 0x753d0000 end_va = 0x753e0fff monitored = 0 entry_point = 0x753d1300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 2895 start_va = 0x753c0000 end_va = 0x753c8fff monitored = 0 entry_point = 0x753c15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 2896 start_va = 0x753a0000 end_va = 0x753b8fff monitored = 0 entry_point = 0x753a1319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 2898 start_va = 0x75390000 end_va = 0x7539efff monitored = 0 entry_point = 0x753912a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 2899 start_va = 0x74540000 end_va = 0x7455bfff monitored = 0 entry_point = 0x7454a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 2900 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 2901 start_va = 0x74530000 end_va = 0x74536fff monitored = 0 entry_point = 0x7453128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 2902 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2903 start_va = 0x75360000 end_va = 0x75387fff monitored = 0 entry_point = 0x7537d352 region_type = mapped_file name = "rstrtmgr.dll" filename = "\\Windows\\SysWOW64\\RstrtMgr.dll" (normalized: "c:\\windows\\syswow64\\rstrtmgr.dll") Region: id = 2904 start_va = 0x75320000 end_va = 0x75357fff monitored = 0 entry_point = 0x75321489 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll") Region: id = 2905 start_va = 0x75300000 end_va = 0x75316fff monitored = 0 entry_point = 0x753035fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2906 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2907 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2908 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 2909 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 2910 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 2911 start_va = 0x2c0000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2913 start_va = 0x4d0000 end_va = 0x657fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 2914 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2915 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2916 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2917 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 139 os_tid = 0xa60 Thread: id = 140 os_tid = 0xa6c Process: id = "15" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xa352000" os_pid = "0x32c" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c378" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2934 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2935 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2936 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2937 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2938 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2939 start_va = 0xd0000 end_va = 0x136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2940 start_va = 0x140000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 2941 start_va = 0x240000 end_va = 0x240fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 2942 start_va = 0x250000 end_va = 0x250fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2943 start_va = 0x260000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2944 start_va = 0x270000 end_va = 0x27cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2945 start_va = 0x280000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 2946 start_va = 0x380000 end_va = 0x507fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 2947 start_va = 0x510000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2948 start_va = 0x6a0000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 2949 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 2950 start_va = 0x770000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 2951 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 2952 start_va = 0x790000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 2953 start_va = 0x7a0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 2954 start_va = 0x820000 end_va = 0x821fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 2955 start_va = 0x830000 end_va = 0x831fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 2956 start_va = 0x840000 end_va = 0x841fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2957 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 2958 start_va = 0x860000 end_va = 0x8a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 2959 start_va = 0x8e0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 2960 start_va = 0x8f0000 end_va = 0x90ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rasdlg.dll.mui" filename = "\\Windows\\System32\\en-US\\rasdlg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\rasdlg.dll.mui") Region: id = 2961 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 2962 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 2963 start_va = 0x930000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 2964 start_va = 0x940000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 2965 start_va = 0x9c0000 end_va = 0x9c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.dll.mui" filename = "\\Windows\\System32\\en-US\\sysmain.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\sysmain.dll.mui") Region: id = 2966 start_va = 0x9e0000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 2967 start_va = 0xa60000 end_va = 0xd2efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2968 start_va = 0xd60000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 2969 start_va = 0xd80000 end_va = 0xd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 2970 start_va = 0xda0000 end_va = 0xe1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 2971 start_va = 0xe70000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 2972 start_va = 0xe80000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 2973 start_va = 0xf00000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 2974 start_va = 0xf80000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 2975 start_va = 0x1160000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 2976 start_va = 0x1230000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 2977 start_va = 0x12d0000 end_va = 0x134ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 2978 start_va = 0x1350000 end_va = 0x13cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 2979 start_va = 0x1430000 end_va = 0x143ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 2980 start_va = 0x1480000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 2981 start_va = 0x1500000 end_va = 0x157ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 2982 start_va = 0x1720000 end_va = 0x179ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 2983 start_va = 0x17a0000 end_va = 0x181ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 2984 start_va = 0x1820000 end_va = 0x189ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001820000" filename = "" Region: id = 2985 start_va = 0x18a0000 end_va = 0x199ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 2986 start_va = 0x19a0000 end_va = 0x1a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019a0000" filename = "" Region: id = 2987 start_va = 0x1a20000 end_va = 0x1b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 2988 start_va = 0x1b50000 end_va = 0x1b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b50000" filename = "" Region: id = 2989 start_va = 0x1c10000 end_va = 0x1d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c10000" filename = "" Region: id = 2990 start_va = 0x1d10000 end_va = 0x1d1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 2991 start_va = 0x1d20000 end_va = 0x1e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 2992 start_va = 0x1ed0000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 2993 start_va = 0x2040000 end_va = 0x204ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 2994 start_va = 0x2050000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 2995 start_va = 0x2150000 end_va = 0x224ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 2996 start_va = 0x2250000 end_va = 0x244ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 2997 start_va = 0x2450000 end_va = 0x2c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 2998 start_va = 0x2ce0000 end_va = 0x2d5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 2999 start_va = 0x2de0000 end_va = 0x2e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 3000 start_va = 0x2e60000 end_va = 0x2edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 3001 start_va = 0x2ef0000 end_va = 0x2f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 3002 start_va = 0x3090000 end_va = 0x310ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 3003 start_va = 0x3480000 end_va = 0x387ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003480000" filename = "" Region: id = 3004 start_va = 0x3880000 end_va = 0x407ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 3005 start_va = 0x4080000 end_va = 0x504ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 3006 start_va = 0x5050000 end_va = 0x601ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005050000" filename = "" Region: id = 3007 start_va = 0x75500000 end_va = 0x75502fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 3008 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3009 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3010 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3011 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3012 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3013 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3014 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3015 start_va = 0x7fef40e0000 end_va = 0x7fef411efff monitored = 0 entry_point = 0x7fef40e12c0 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 3016 start_va = 0x7fef4120000 end_va = 0x7fef413bfff monitored = 0 entry_point = 0x7fef41211a0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 3017 start_va = 0x7fef4140000 end_va = 0x7fef41a1fff monitored = 0 entry_point = 0x7fef4141198 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 3018 start_va = 0x7fef41b0000 end_va = 0x7fef41e9fff monitored = 0 entry_point = 0x7fef41b1010 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 3019 start_va = 0x7fef41f0000 end_va = 0x7fef42c7fff monitored = 0 entry_point = 0x7fef4258bd0 region_type = mapped_file name = "rasdlg.dll" filename = "\\Windows\\System32\\rasdlg.dll" (normalized: "c:\\windows\\system32\\rasdlg.dll") Region: id = 3020 start_va = 0x7fef42d0000 end_va = 0x7fef432bfff monitored = 0 entry_point = 0x7fef42d8c20 region_type = mapped_file name = "netman.dll" filename = "\\Windows\\System32\\netman.dll" (normalized: "c:\\windows\\system32\\netman.dll") Region: id = 3021 start_va = 0x7fef4580000 end_va = 0x7fef480afff monitored = 0 entry_point = 0x7fef4586f5c region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 3022 start_va = 0x7fef4a80000 end_va = 0x7fef4a96fff monitored = 0 entry_point = 0x7fef4a8d308 region_type = mapped_file name = "portabledeviceconnectapi.dll" filename = "\\Windows\\System32\\PortableDeviceConnectApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceconnectapi.dll") Region: id = 3023 start_va = 0x7fef4aa0000 end_va = 0x7fef4aabfff monitored = 0 entry_point = 0x7fef4aa419c region_type = mapped_file name = "apphlpdm.dll" filename = "\\Windows\\System32\\Apphlpdm.dll" (normalized: "c:\\windows\\system32\\apphlpdm.dll") Region: id = 3024 start_va = 0x7fef4af0000 end_va = 0x7fef4bacfff monitored = 0 entry_point = 0x7fef4af1ea4 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 3025 start_va = 0x7fef5030000 end_va = 0x7fef509afff monitored = 0 entry_point = 0x7fef5074344 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 3026 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 3027 start_va = 0x7fef5280000 end_va = 0x7fef5303fff monitored = 0 entry_point = 0x7fef52d1118 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 3028 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3029 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3030 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 3031 start_va = 0x7fef5600000 end_va = 0x7fef5610fff monitored = 0 entry_point = 0x7fef56014c0 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 3032 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 3033 start_va = 0x7fef5780000 end_va = 0x7fef57a1fff monitored = 0 entry_point = 0x7fef5781020 region_type = mapped_file name = "trkwks.dll" filename = "\\Windows\\System32\\trkwks.dll" (normalized: "c:\\windows\\system32\\trkwks.dll") Region: id = 3034 start_va = 0x7fef57b0000 end_va = 0x7fef595dfff monitored = 0 entry_point = 0x7fef57da148 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 3035 start_va = 0x7fef5980000 end_va = 0x7fef5998fff monitored = 0 entry_point = 0x7fef5982b50 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 3036 start_va = 0x7fef59a0000 end_va = 0x7fef59affff monitored = 0 entry_point = 0x7fef59a1010 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 3037 start_va = 0x7fef59b0000 end_va = 0x7fef59c1fff monitored = 0 entry_point = 0x7fef59b1050 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 3038 start_va = 0x7fef59d0000 end_va = 0x7fef5a02fff monitored = 0 entry_point = 0x7fef59d101c region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 3039 start_va = 0x7fef89f0000 end_va = 0x7fef8a6bfff monitored = 0 entry_point = 0x7fef89f11d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 3040 start_va = 0x7fef95d0000 end_va = 0x7fef95dffff monitored = 0 entry_point = 0x7fef95d27f0 region_type = mapped_file name = "uxsms.dll" filename = "\\Windows\\System32\\uxsms.dll" (normalized: "c:\\windows\\system32\\uxsms.dll") Region: id = 3041 start_va = 0x7fefaf00000 end_va = 0x7fefaf56fff monitored = 0 entry_point = 0x7fefaf01118 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 3042 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3043 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3044 start_va = 0x7fefb2f0000 end_va = 0x7fefb2fafff monitored = 0 entry_point = 0x7fefb2f4f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 3045 start_va = 0x7fefb300000 end_va = 0x7fefb30bfff monitored = 0 entry_point = 0x7fefb3015d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3046 start_va = 0x7fefb320000 end_va = 0x7fefb338fff monitored = 0 entry_point = 0x7fefb3211a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 3047 start_va = 0x7fefb380000 end_va = 0x7fefb3bcfff monitored = 0 entry_point = 0x7fefb381b7c region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 3048 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d4fff monitored = 0 entry_point = 0x7fefb3c60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 3049 start_va = 0x7fefb4b0000 end_va = 0x7fefb5d6fff monitored = 0 entry_point = 0x7fefb4b10ec region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 3050 start_va = 0x7fefb5e0000 end_va = 0x7fefb60ffff monitored = 0 entry_point = 0x7fefb5ffe98 region_type = mapped_file name = "peerdist.dll" filename = "\\Windows\\System32\\PeerDist.dll" (normalized: "c:\\windows\\system32\\peerdist.dll") Region: id = 3051 start_va = 0x7fefb610000 end_va = 0x7fefb6bbfff monitored = 0 entry_point = 0x7fefb6218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3052 start_va = 0x7fefb6e0000 end_va = 0x7fefb6e8fff monitored = 0 entry_point = 0x7fefb6e1010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 3053 start_va = 0x7fefb6f0000 end_va = 0x7fefb71bfff monitored = 0 entry_point = 0x7fefb6f15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3054 start_va = 0x7fefb720000 end_va = 0x7fefb7cbfff monitored = 0 entry_point = 0x7fefb736acc region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 3055 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3056 start_va = 0x7fefbc00000 end_va = 0x7fefbc34fff monitored = 0 entry_point = 0x7fefbc01064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 3057 start_va = 0x7fefbc60000 end_va = 0x7fefbcaafff monitored = 0 entry_point = 0x7fefbc6efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 3058 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3059 start_va = 0x7fefc250000 end_va = 0x7fefc443fff monitored = 0 entry_point = 0x7fefc3dc924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 3060 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3061 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3062 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3063 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3064 start_va = 0x7fefcb10000 end_va = 0x7fefcb21fff monitored = 0 entry_point = 0x7fefcb11060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 3065 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3066 start_va = 0x7fefcc50000 end_va = 0x7fefcc5cfff monitored = 0 entry_point = 0x7fefcc51348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 3067 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3068 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3069 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3070 start_va = 0x7fefd210000 end_va = 0x7fefd23efff monitored = 0 entry_point = 0x7fefd211064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 3071 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 3072 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3073 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3074 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3075 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3076 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3077 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3078 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3079 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3080 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3081 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3082 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3083 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3084 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3085 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3086 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3087 start_va = 0x7fefdee0000 end_va = 0x7fefec67fff monitored = 0 entry_point = 0x7fefdf5cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3088 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3089 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3090 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3091 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3092 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3093 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3094 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3095 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3096 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3097 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3098 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3099 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3100 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3101 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3102 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3103 start_va = 0x7fffff82000 end_va = 0x7fffff83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 3104 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 3105 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 3106 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 3107 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 3108 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 3109 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 3110 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 3111 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 3112 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 3113 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3114 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 3115 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 3116 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 3117 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3118 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3119 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3120 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3121 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3122 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3123 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3124 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3125 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3126 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3154 start_va = 0x1000000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3155 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Thread: id = 145 os_tid = 0x7bc Thread: id = 146 os_tid = 0x73c Thread: id = 147 os_tid = 0x3c4 Thread: id = 148 os_tid = 0x4c0 Thread: id = 149 os_tid = 0x33c Thread: id = 150 os_tid = 0x67c Thread: id = 151 os_tid = 0x78c Thread: id = 152 os_tid = 0x68c Thread: id = 153 os_tid = 0x680 Thread: id = 154 os_tid = 0x414 Thread: id = 155 os_tid = 0x114 Thread: id = 156 os_tid = 0x3e0 Thread: id = 157 os_tid = 0x3d4 Thread: id = 158 os_tid = 0x3d0 Thread: id = 159 os_tid = 0x3c0 Thread: id = 160 os_tid = 0x3bc Thread: id = 161 os_tid = 0x388 Thread: id = 162 os_tid = 0x374 Thread: id = 163 os_tid = 0x370 Thread: id = 164 os_tid = 0x358 Thread: id = 165 os_tid = 0x340 Thread: id = 166 os_tid = 0x330 Thread: id = 173 os_tid = 0x324 Thread: id = 178 os_tid = 0x6b0