# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 05.11.2020 03:53:48.931 Process: id = "1" image_name = "dddd.exe" filename = "c:\\users\\fd1hvy\\desktop\\dddd.exe" page_root = "0x8549000" os_pid = "0x11cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x560" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\dddd.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x11d4 [0083.034] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0083.040] RoInitialize () returned 0x1 [0083.040] RoUninitialize () returned 0x0 [0086.649] CoTaskMemAlloc (cb=0x8) returned 0x11326b0 [0086.822] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0xefc598 | out: phkResult=0xefc598*=0x0) returned 0x2 [0086.823] RegCloseKey (hKey=0xffffffff80000002) returned 0x0 [0087.078] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", nBufferLength=0x105, lpBuffer=0xefd050, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", lpFilePart=0x0) returned 0x20 [0087.081] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", nBufferLength=0x105, lpBuffer=0xefd050, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", lpFilePart=0x0) returned 0x20 [0087.302] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x7ffce9120000 [0087.449] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VirtualProtect", cchWideChar=14, lpMultiByteStr=0xefd6b0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VirtualProtect", lpUsedDefaultChar=0x0) returned 14 [0087.449] GetProcAddress (hModule=0x7ffce9120000, lpProcName="VirtualProtect") returned 0x7ffce913b320 [0087.497] VirtualProtect (in: lpAddress=0xa726d4, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.502] VirtualProtect (in: lpAddress=0xa726d4, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.502] VirtualProtect (in: lpAddress=0xa726dc, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.502] VirtualProtect (in: lpAddress=0xa726dc, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.503] VirtualProtect (in: lpAddress=0xa726fc, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.503] VirtualProtect (in: lpAddress=0xa726fc, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.503] VirtualProtect (in: lpAddress=0xa7270c, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.503] VirtualProtect (in: lpAddress=0xa7270c, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.504] VirtualProtect (in: lpAddress=0xa7271c, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.504] VirtualProtect (in: lpAddress=0xa7271c, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.504] VirtualProtect (in: lpAddress=0xa7272c, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.504] VirtualProtect (in: lpAddress=0xa7272c, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.505] VirtualProtect (in: lpAddress=0xa72b70, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.505] VirtualProtect (in: lpAddress=0xa72b70, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.505] VirtualProtect (in: lpAddress=0xa72ba0, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.506] VirtualProtect (in: lpAddress=0xa72ba0, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.506] VirtualProtect (in: lpAddress=0xa72bd8, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.506] VirtualProtect (in: lpAddress=0xa72bd8, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.506] VirtualProtect (in: lpAddress=0xa72c10, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.507] VirtualProtect (in: lpAddress=0xa72c10, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.507] VirtualProtect (in: lpAddress=0xa72c6c, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.507] VirtualProtect (in: lpAddress=0xa72c6c, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.507] VirtualProtect (in: lpAddress=0xa72c7c, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.507] VirtualProtect (in: lpAddress=0xa72c7c, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.508] VirtualProtect (in: lpAddress=0xa81c1c, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.508] VirtualProtect (in: lpAddress=0xa81c1c, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.508] VirtualProtect (in: lpAddress=0xa81c44, dwSize=0x4, flNewProtect=0x4, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x2) returned 1 [0087.509] VirtualProtect (in: lpAddress=0xa81c44, dwSize=0x4, flNewProtect=0x2, lpflOldProtect=0xefda30 | out: lpflOldProtect=0xefda30*=0x4) returned 1 [0087.561] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorjit.dll", cchWideChar=12, lpMultiByteStr=0xefd710, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscorjit.dllü\x7f", lpUsedDefaultChar=0x0) returned 12 [0087.561] LoadLibraryA (lpLibFileName="mscorjit.dll") returned 0x0 [0087.572] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clrjit.dll", cchWideChar=10, lpMultiByteStr=0xefd710, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clrjit.dll§Èü\x7f", lpUsedDefaultChar=0x0) returned 10 [0087.572] LoadLibraryA (lpLibFileName="clrjit.dll") returned 0x7ffcc8420000 [0087.573] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="getJit", cchWideChar=6, lpMultiByteStr=0xefd710, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="getJit", lpUsedDefaultChar=0x0) returned 6 [0087.573] GetProcAddress (hModule=0x7ffcc8420000, lpProcName="getJit") returned 0x7ffcc849f7d0 [0087.864] GetCurrentProcessId () returned 0x11cc [0087.884] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xefc850 | out: lpLuid=0xefc850*(LowPart=0x14, HighPart=0)) returned 1 [0087.887] GetCurrentProcess () returned 0xffffffffffffffff [0087.887] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0xefc848 | out: TokenHandle=0xefc848*=0x270) returned 1 [0087.888] AdjustTokenPrivileges (in: TokenHandle=0x270, DisableAllPrivileges=0, NewState=0x2c7db28*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0087.889] CloseHandle (hObject=0x270) returned 1 [0087.933] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x11cc) returned 0x270 [0087.957] EnumProcessModules (in: hProcess=0x270, lphModule=0x2c7eaa0, cb=0x200, lpcbNeeded=0xefd6f0 | out: lphModule=0x2c7eaa0, lpcbNeeded=0xefd6f0) returned 1 [0088.033] GetModuleInformation (in: hProcess=0x270, hModule=0xa70000, lpmodinfo=0x2c7ed10, cb=0x18 | out: lpmodinfo=0x2c7ed10*(lpBaseOfDll=0xa70000, SizeOfImage=0x98000, EntryPoint=0x0)) returned 1 [0088.033] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.034] GetModuleBaseNameW (in: hProcess=0x270, hModule=0xa70000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="dddd.exe") returned 0x8 [0088.035] CoTaskMemFree (pv=0x1139bd0) [0088.035] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.035] GetModuleFileNameExW (in: hProcess=0x270, hModule=0xa70000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\dddd.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\dddd.exe")) returned 0x20 [0088.035] CoTaskMemFree (pv=0x1139bd0) [0088.036] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcea380000, lpmodinfo=0x2c80f30, cb=0x18 | out: lpmodinfo=0x2c80f30*(lpBaseOfDll=0x7ffcea380000, SizeOfImage=0x1db000, EntryPoint=0x0)) returned 1 [0088.036] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.036] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcea380000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="ntdll.dll") returned 0x9 [0088.036] CoTaskMemFree (pv=0x1139bd0) [0088.037] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.037] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcea380000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")) returned 0x1d [0088.037] CoTaskMemFree (pv=0x1139bd0) [0088.037] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffccb0f0000, lpmodinfo=0x2c830d8, cb=0x18 | out: lpmodinfo=0x2c830d8*(lpBaseOfDll=0x7ffccb0f0000, SizeOfImage=0x63000, EntryPoint=0x7ffccb11a0a0)) returned 1 [0088.037] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.037] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffccb0f0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="MSCOREE.DLL") returned 0xb [0088.037] CoTaskMemFree (pv=0x1139bd0) [0088.037] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.037] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffccb0f0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\SYSTEM32\\MSCOREE.DLL" (normalized: "c:\\windows\\system32\\mscoree.dll")) returned 0x1f [0088.038] CoTaskMemFree (pv=0x1139bd0) [0088.038] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce9120000, lpmodinfo=0x2c85280, cb=0x18 | out: lpmodinfo=0x2c85280*(lpBaseOfDll=0x7ffce9120000, SizeOfImage=0xae000, EntryPoint=0x7ffce9132800)) returned 1 [0088.038] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.038] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce9120000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="KERNEL32.dll") returned 0xc [0088.038] CoTaskMemFree (pv=0x1139bd0) [0088.038] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.038] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce9120000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\KERNEL32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")) returned 0x20 [0088.038] CoTaskMemFree (pv=0x1139bd0) [0088.038] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce68a0000, lpmodinfo=0x2c87438, cb=0x18 | out: lpmodinfo=0x2c87438*(lpBaseOfDll=0x7ffce68a0000, SizeOfImage=0x249000, EntryPoint=0x7ffce68abec0)) returned 1 [0088.038] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.039] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce68a0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="KERNELBASE.dll") returned 0xe [0088.039] CoTaskMemFree (pv=0x1139bd0) [0088.039] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.039] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce68a0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\KERNELBASE.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")) returned 0x22 [0088.039] CoTaskMemFree (pv=0x1139bd0) [0088.039] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce4de0000, lpmodinfo=0x2c89648, cb=0x18 | out: lpmodinfo=0x2c89648*(lpBaseOfDll=0x7ffce4de0000, SizeOfImage=0x7e000, EntryPoint=0x7ffce4df75f0)) returned 1 [0088.039] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.039] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce4de0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="apphelp.dll") returned 0xb [0088.040] CoTaskMemFree (pv=0x1139bd0) [0088.040] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.040] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce4de0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\SYSTEM32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")) returned 0x1f [0088.040] CoTaskMemFree (pv=0x1139bd0) [0088.040] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce91d0000, lpmodinfo=0x2c8b7f0, cb=0x18 | out: lpmodinfo=0x2c8b7f0*(lpBaseOfDll=0x7ffce91d0000, SizeOfImage=0xa1000, EntryPoint=0x7ffce91e42f0)) returned 1 [0088.040] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.040] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce91d0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="ADVAPI32.dll") returned 0xc [0088.040] CoTaskMemFree (pv=0x1139bd0) [0088.040] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.040] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce91d0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\ADVAPI32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")) returned 0x20 [0088.040] CoTaskMemFree (pv=0x1139bd0) [0088.040] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcea250000, lpmodinfo=0x2c8d9a8, cb=0x18 | out: lpmodinfo=0x2c8d9a8*(lpBaseOfDll=0x7ffcea250000, SizeOfImage=0x9d000, EntryPoint=0x7ffcea2577c0)) returned 1 [0088.041] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.041] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcea250000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="msvcrt.dll") returned 0xa [0088.041] CoTaskMemFree (pv=0x1139bd0) [0088.041] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.041] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcea250000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")) returned 0x1e [0088.041] CoTaskMemFree (pv=0x1139bd0) [0088.041] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce9430000, lpmodinfo=0x2c8fb50, cb=0x18 | out: lpmodinfo=0x2c8fb50*(lpBaseOfDll=0x7ffce9430000, SizeOfImage=0x59000, EntryPoint=0x7ffce9436130)) returned 1 [0088.041] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.041] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce9430000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="sechost.dll") returned 0xb [0088.042] CoTaskMemFree (pv=0x1139bd0) [0088.042] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.042] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce9430000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")) returned 0x1f [0088.042] CoTaskMemFree (pv=0x1139bd0) [0088.042] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce78e0000, lpmodinfo=0x2c91d90, cb=0x18 | out: lpmodinfo=0x2c91d90*(lpBaseOfDll=0x7ffce78e0000, SizeOfImage=0x125000, EntryPoint=0x7ffce7946540)) returned 1 [0088.042] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.042] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce78e0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="RPCRT4.dll") returned 0xa [0088.042] CoTaskMemFree (pv=0x1139bd0) [0088.042] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.042] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce78e0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\RPCRT4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")) returned 0x1e [0088.043] CoTaskMemFree (pv=0x1139bd0) [0088.043] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcca8b0000, lpmodinfo=0x2c93f38, cb=0x18 | out: lpmodinfo=0x2c93f38*(lpBaseOfDll=0x7ffcca8b0000, SizeOfImage=0x9d000, EntryPoint=0x7ffcca8b1010)) returned 1 [0088.043] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.043] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcca8b0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="mscoreei.dll") returned 0xc [0088.043] CoTaskMemFree (pv=0x1139bd0) [0088.043] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.043] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcca8b0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll")) returned 0x3c [0088.043] CoTaskMemFree (pv=0x1139bd0) [0088.043] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce9490000, lpmodinfo=0x2c96128, cb=0x18 | out: lpmodinfo=0x2c96128*(lpBaseOfDll=0x7ffce9490000, SizeOfImage=0x51000, EntryPoint=0x7ffce949a0e0)) returned 1 [0088.044] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.044] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce9490000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="SHLWAPI.dll") returned 0xb [0088.044] CoTaskMemFree (pv=0x1139bd0) [0088.044] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.044] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce9490000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\SHLWAPI.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")) returned 0x1f [0088.044] CoTaskMemFree (pv=0x1139bd0) [0088.044] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce9f20000, lpmodinfo=0x2c982d0, cb=0x18 | out: lpmodinfo=0x2c982d0*(lpBaseOfDll=0x7ffce9f20000, SizeOfImage=0x2f9000, EntryPoint=0x7ffcea0029d0)) returned 1 [0088.044] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.044] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce9f20000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="combase.dll") returned 0xb [0088.044] CoTaskMemFree (pv=0x1139bd0) [0088.044] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.045] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce9f20000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")) returned 0x1f [0088.045] CoTaskMemFree (pv=0x1139bd0) [0088.045] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce7010000, lpmodinfo=0x2c9a478, cb=0x18 | out: lpmodinfo=0x2c9a478*(lpBaseOfDll=0x7ffce7010000, SizeOfImage=0xf6000, EntryPoint=0x7ffce701f200)) returned 1 [0088.045] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.045] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce7010000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="ucrtbase.dll") returned 0xc [0088.045] CoTaskMemFree (pv=0x1139bd0) [0088.045] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.045] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce7010000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")) returned 0x20 [0088.046] CoTaskMemFree (pv=0x1139bd0) [0088.046] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce7110000, lpmodinfo=0x2c9c630, cb=0x18 | out: lpmodinfo=0x2c9c630*(lpBaseOfDll=0x7ffce7110000, SizeOfImage=0x6a000, EntryPoint=0x7ffce713d7f0)) returned 1 [0088.046] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.046] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce7110000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="bcryptPrimitives.dll") returned 0x14 [0088.046] CoTaskMemFree (pv=0x1139bd0) [0088.046] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.046] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce7110000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\bcryptPrimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")) returned 0x28 [0088.046] CoTaskMemFree (pv=0x1139bd0) [0088.046] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce7c40000, lpmodinfo=0x2c9e808, cb=0x18 | out: lpmodinfo=0x2c9e808*(lpBaseOfDll=0x7ffce7c40000, SizeOfImage=0x27000, EntryPoint=0x7ffce7c445f0)) returned 1 [0088.046] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.046] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce7c40000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="GDI32.dll") returned 0x9 [0088.046] CoTaskMemFree (pv=0x1139bd0) [0088.047] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.047] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce7c40000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\GDI32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")) returned 0x1d [0088.048] CoTaskMemFree (pv=0x1139bd0) [0088.048] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce6af0000, lpmodinfo=0x2ca09b0, cb=0x18 | out: lpmodinfo=0x2ca09b0*(lpBaseOfDll=0x7ffce6af0000, SizeOfImage=0x188000, EntryPoint=0x7ffce6b3bb00)) returned 1 [0088.048] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.048] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce6af0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="gdi32full.dll") returned 0xd [0088.048] CoTaskMemFree (pv=0x1139bd0) [0088.048] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.048] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce6af0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll")) returned 0x21 [0088.048] CoTaskMemFree (pv=0x1139bd0) [0088.049] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce6f50000, lpmodinfo=0x2ca2c80, cb=0x18 | out: lpmodinfo=0x2ca2c80*(lpBaseOfDll=0x7ffce6f50000, SizeOfImage=0x9a000, EntryPoint=0x7ffce6f5e2e0)) returned 1 [0088.049] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.049] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce6f50000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="msvcp_win.dll") returned 0xd [0088.049] CoTaskMemFree (pv=0x1139bd0) [0088.049] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.049] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce6f50000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll")) returned 0x21 [0088.049] CoTaskMemFree (pv=0x1139bd0) [0088.049] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce9280000, lpmodinfo=0x2ca4e38, cb=0x18 | out: lpmodinfo=0x2ca4e38*(lpBaseOfDll=0x7ffce9280000, SizeOfImage=0x14a000, EntryPoint=0x7ffce9290e10)) returned 1 [0088.049] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.049] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce9280000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="USER32.dll") returned 0xa [0088.049] CoTaskMemFree (pv=0x1139bd0) [0088.050] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.050] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce9280000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\USER32.dll" (normalized: "c:\\windows\\system32\\user32.dll")) returned 0x1e [0088.050] CoTaskMemFree (pv=0x1139bd0) [0088.050] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce6ff0000, lpmodinfo=0x2ca6fe0, cb=0x18 | out: lpmodinfo=0x2ca6fe0*(lpBaseOfDll=0x7ffce6ff0000, SizeOfImage=0x1e000, EntryPoint=0x0)) returned 1 [0088.050] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.050] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce6ff0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="win32u.dll") returned 0xa [0088.050] CoTaskMemFree (pv=0x1139bd0) [0088.050] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.050] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce6ff0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll")) returned 0x1e [0088.050] CoTaskMemFree (pv=0x1139bd0) [0088.050] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcea220000, lpmodinfo=0x2ca9188, cb=0x18 | out: lpmodinfo=0x2ca9188*(lpBaseOfDll=0x7ffcea220000, SizeOfImage=0x2d000, EntryPoint=0x7ffcea221670)) returned 1 [0088.050] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.051] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcea220000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="IMM32.DLL") returned 0x9 [0088.051] CoTaskMemFree (pv=0x1139bd0) [0088.051] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.051] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcea220000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\IMM32.DLL" (normalized: "c:\\windows\\system32\\imm32.dll")) returned 0x1d [0088.051] CoTaskMemFree (pv=0x1139bd0) [0088.051] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce6880000, lpmodinfo=0x2cab330, cb=0x18 | out: lpmodinfo=0x2cab330*(lpBaseOfDll=0x7ffce6880000, SizeOfImage=0x11000, EntryPoint=0x7ffce68834c0)) returned 1 [0088.051] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.051] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce6880000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="kernel.appcore.dll") returned 0x12 [0088.051] CoTaskMemFree (pv=0x1139bd0) [0088.051] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.051] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce6880000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")) returned 0x26 [0088.051] CoTaskMemFree (pv=0x1139bd0) [0088.051] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcd6170000, lpmodinfo=0x2cad4f8, cb=0x18 | out: lpmodinfo=0x2cad4f8*(lpBaseOfDll=0x7ffcd6170000, SizeOfImage=0xa000, EntryPoint=0x7ffcd6171300)) returned 1 [0088.052] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.052] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcd6170000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="VERSION.dll") returned 0xb [0088.052] CoTaskMemFree (pv=0x1139bd0) [0088.052] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.052] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcd6170000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\SYSTEM32\\VERSION.dll" (normalized: "c:\\windows\\system32\\version.dll")) returned 0x1f [0088.052] CoTaskMemFree (pv=0x1139bd0) [0088.052] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcc9b20000, lpmodinfo=0x2caf6a0, cb=0x18 | out: lpmodinfo=0x2caf6a0*(lpBaseOfDll=0x7ffcc9b20000, SizeOfImage=0x9de000, EntryPoint=0x7ffcc9b25860)) returned 1 [0088.052] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.052] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcc9b20000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="clr.dll") returned 0x7 [0088.053] CoTaskMemFree (pv=0x1139bd0) [0088.053] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.053] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcc9b20000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll")) returned 0x37 [0088.053] CoTaskMemFree (pv=0x1139bd0) [0088.053] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcca5b0000, lpmodinfo=0x2cb1870, cb=0x18 | out: lpmodinfo=0x2cb1870*(lpBaseOfDll=0x7ffcca5b0000, SizeOfImage=0xf7000, EntryPoint=0x7ffcca5d4db0)) returned 1 [0088.053] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.053] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcca5b0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="MSVCR120_CLR0400.dll") returned 0x14 [0088.053] CoTaskMemFree (pv=0x1139bd0) [0088.053] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.053] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcca5b0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\SYSTEM32\\MSVCR120_CLR0400.dll" (normalized: "c:\\windows\\system32\\msvcr120_clr0400.dll")) returned 0x28 [0088.054] CoTaskMemFree (pv=0x1139bd0) [0088.054] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcc85a0000, lpmodinfo=0x2cb3a48, cb=0x18 | out: lpmodinfo=0x2cb3a48*(lpBaseOfDll=0x7ffcc85a0000, SizeOfImage=0x157e000, EntryPoint=0x0)) returned 1 [0088.054] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.054] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcc85a0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="mscorlib.ni.dll") returned 0xf [0088.054] CoTaskMemFree (pv=0x1139bd0) [0088.054] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.054] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcc85a0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\2ef49acbb43c068f6ddf1587283b5f29\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\mscorlib\\2ef49acbb43c068f6ddf1587283b5f29\\mscorlib.ni.dll")) returned 0x68 [0088.054] CoTaskMemFree (pv=0x1139bd0) [0088.054] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffce94f0000, lpmodinfo=0x2cb5c90, cb=0x18 | out: lpmodinfo=0x2cb5c90*(lpBaseOfDll=0x7ffce94f0000, SizeOfImage=0x145000, EntryPoint=0x7ffce9518ad0)) returned 1 [0088.055] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.055] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffce94f0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="ole32.dll") returned 0x9 [0088.055] CoTaskMemFree (pv=0x1139bd0) [0088.055] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.055] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffce94f0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")) returned 0x1d [0088.055] CoTaskMemFree (pv=0x1139bd0) [0088.055] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcc8420000, lpmodinfo=0x2cb7e38, cb=0x18 | out: lpmodinfo=0x2cb7e38*(lpBaseOfDll=0x7ffcc8420000, SizeOfImage=0x114000, EntryPoint=0x7ffcc8421080)) returned 1 [0088.055] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.055] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcc8420000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="clrjit.dll") returned 0xa [0088.055] CoTaskMemFree (pv=0x1139bd0) [0088.055] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.055] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcc8420000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clrjit.dll")) returned 0x3a [0088.056] CoTaskMemFree (pv=0x1139bd0) [0088.056] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcc77f0000, lpmodinfo=0x2cba018, cb=0x18 | out: lpmodinfo=0x2cba018*(lpBaseOfDll=0x7ffcc77f0000, SizeOfImage=0xc22000, EntryPoint=0x0)) returned 1 [0088.056] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.056] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcc77f0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="System.ni.dll") returned 0xd [0088.056] CoTaskMemFree (pv=0x1139bd0) [0088.056] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.056] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcc77f0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\assembly\\NativeImages_v4.0.30319_64\\System\\81628942bacc75f31a81ed994f9aadfc\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system\\81628942bacc75f31a81ed994f9aadfc\\system.ni.dll")) returned 0x64 [0088.056] CoTaskMemFree (pv=0x1139bd0) [0088.056] GetModuleInformation (in: hProcess=0x270, hModule=0x7ffcea2f0000, lpmodinfo=0x2cbc258, cb=0x18 | out: lpmodinfo=0x2cbc258*(lpBaseOfDll=0x7ffcea2f0000, SizeOfImage=0x8000, EntryPoint=0x7ffcea2f1090)) returned 1 [0088.057] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.057] GetModuleBaseNameW (in: hProcess=0x270, hModule=0x7ffcea2f0000, lpBaseName=0x1139bd0, nSize=0x800 | out: lpBaseName="psapi.dll") returned 0x9 [0088.057] CoTaskMemFree (pv=0x1139bd0) [0088.057] CoTaskMemAlloc (cb=0x804) returned 0x1139bd0 [0088.057] GetModuleFileNameExW (in: hProcess=0x270, hModule=0x7ffcea2f0000, lpFilename=0x1139bd0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")) returned 0x1d [0088.057] CoTaskMemFree (pv=0x1139bd0) [0088.058] CloseHandle (hObject=0x270) returned 1 [0088.404] CoTaskMemAlloc (cb=0x1) returned 0x1132710 [0088.524] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VirtualAlloc", cchWideChar=12, lpMultiByteStr=0xefd680, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VirtualAllocÿÿÿÿpÖï", lpUsedDefaultChar=0x0) returned 12 [0088.525] GetProcAddress (hModule=0x7ffce9120000, lpProcName="VirtualAlloc") returned 0x7ffce91397f0 [0088.575] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x1000, flProtect=0x40) returned 0x1000000 [0088.576] VirtualProtect (in: lpAddress=0x7ffcc84fe528, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0xefdab0 | out: lpflOldProtect=0xefdab0*=0x2) returned 1 [0088.582] VirtualProtect (in: lpAddress=0x7ffcc84fe528, dwSize=0x8, flNewProtect=0x2, lpflOldProtect=0xefdab0 | out: lpflOldProtect=0xefdab0*=0x40) returned 1 [0090.691] CoTaskMemAlloc (cb=0xb) returned 0x1138fd0 [0092.487] BCryptGetFipsAlgorithmMode (in: pfEnabled=0xefd780 | out: pfEnabled=0xefd780) returned 0x0 [0092.778] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", nBufferLength=0x105, lpBuffer=0xefd100, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", lpFilePart=0x0) returned 0x20 [0092.778] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", nBufferLength=0x105, lpBuffer=0xefd290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", lpFilePart=0x0) returned 0x20 [0092.783] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xefd720) returned 1 [0092.784] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\dddd.exe"), fInfoLevelId=0x0, lpFileInformation=0xefd800 | out: lpFileInformation=0xefd800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42cf8100, ftCreationTime.dwHighDateTime=0x1d6b327, ftLastAccessTime.dwLowDateTime=0x42cf8100, ftLastAccessTime.dwHighDateTime=0x1d6b327, ftLastWriteTime.dwLowDateTime=0x3c400a00, ftLastWriteTime.dwHighDateTime=0x1d6b325, nFileSizeHigh=0x0, nFileSizeLow=0x91e00)) returned 1 [0092.784] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xefd6e0) returned 1 [0092.784] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", nBufferLength=0x105, lpBuffer=0xefd100, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", lpFilePart=0x0) returned 0x20 [0092.809] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", nBufferLength=0x105, lpBuffer=0xefd180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", lpFilePart=0x0) returned 0x20 [0092.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xefd6a0) returned 1 [0092.810] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\dddd.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x290 [0092.810] GetFileType (hFile=0x290) returned 0x1 [0092.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xefd610) returned 1 [0092.810] GetFileType (hFile=0x290) returned 0x1 [0092.851] GetFileSize (in: hFile=0x290, lpFileSizeHigh=0xefd848 | out: lpFileSizeHigh=0xefd848*=0x0) returned 0x91e00 [0092.852] ReadFile (in: hFile=0x290, lpBuffer=0x12c81968, nNumberOfBytesToRead=0x91e00, lpNumberOfBytesRead=0xefd778, lpOverlapped=0x0 | out: lpBuffer=0x12c81968*, lpNumberOfBytesRead=0xefd778*=0x91e00, lpOverlapped=0x0) returned 1 [0093.406] CloseHandle (hObject=0x290) returned 1 [0093.414] CoTaskMemAlloc (cb=0x7) returned 0x114dc90 [0093.426] CoTaskMemAlloc (cb=0x4a) returned 0x11330d0 [0093.427] CoTaskMemAlloc (cb=0xe) returned 0x1138bb0 [0093.427] CoTaskMemAlloc (cb=0xb) returned 0x1138ff0 [0094.353] CoTaskMemAlloc (cb=0xb) returned 0x1138c30 [0094.354] CoTaskMemAlloc (cb=0x90) returned 0x1121ca0 [0095.022] CoTaskMemAlloc (cb=0x4a) returned 0x1132ef0 [0095.023] CoTaskMemAlloc (cb=0xe) returned 0x1138c50 [0095.025] CoTaskMemAlloc (cb=0xe) returned 0x1138c70 [0095.026] CoTaskMemAlloc (cb=0x6) returned 0x114dcd0 [0095.027] CoTaskMemAlloc (cb=0x9) returned 0x1138cf0 [0096.565] CoTaskMemAlloc (cb=0x13) returned 0x10c4d00 [0099.996] CoTaskMemAlloc (cb=0x1d) returned 0x113e230 [0100.200] CoTaskMemAlloc (cb=0x13) returned 0x1155750 [0100.217] CoTaskMemAlloc (cb=0x4f) returned 0x11329b0 [0100.220] CoTaskMemAlloc (cb=0xe) returned 0x1155af0 [0100.222] CoTaskMemAlloc (cb=0xe) returned 0x11556d0 [0101.963] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", nBufferLength=0x105, lpBuffer=0xefe420, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\dddd.exe", lpFilePart=0x0) returned 0x20 [0101.979] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\dddd.exe:Zone.Identifier" (normalized: "c:\\users\\fd1hvy\\desktop\\dddd.exe:zone.identifier")) returned 0 [0102.043] CoTaskMemAlloc (cb=0x145) returned 0x113a060 [0102.259] CoTaskMemAlloc (cb=0xb) returned 0x1155950 [0103.693] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0xefe1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0103.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0xefe2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0103.764] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xefe780) returned 1 [0103.765] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0xefe860 | out: lpFileInformation=0xefe860*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fdfbae, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x982bc0b8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x982bc0b8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0103.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xefe740) returned 1 [0103.964] CoTaskMemAlloc (cb=0x13) returned 0x11559f0 [0104.040] CoTaskMemAlloc (cb=0x1b) returned 0x1151580 [0104.143] CoTaskMemAlloc (cb=0x106) returned 0x11568c0 [0104.270] CoTaskMemAlloc (cb=0x13) returned 0x11557b0 [0104.280] CoTaskMemAlloc (cb=0x13) returned 0x1155c10 [0104.344] CoTaskMemAlloc (cb=0x1b) returned 0x1150f20 [0104.510] CoTaskMemAlloc (cb=0x47a) returned 0x1155c90 [0104.751] CoTaskMemAlloc (cb=0xb) returned 0x11557d0 [0104.755] CoTaskMemAlloc (cb=0x20c) returned 0x1147da0 [0104.755] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x1147da0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0104.755] CoTaskMemFree (pv=0x1147da0) [0104.755] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0xefe500, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x23 [0104.755] CoTaskMemAlloc (cb=0x13) returned 0x1155a30 [0104.768] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe", nBufferLength=0x105, lpBuffer=0xefe540, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe", lpFilePart=0x0) returned 0x2c [0104.769] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\javas.exe")) returned 0 [0104.774] CoTaskMemAlloc (cb=0x13) returned 0x11558b0 [0104.777] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe", nBufferLength=0x105, lpBuffer=0xefe370, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe", lpFilePart=0x0) returned 0x2c [0104.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xefe890) returned 1 [0104.777] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\javas.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x310 [0105.001] GetFileType (hFile=0x310) returned 0x1 [0105.001] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xefe800) returned 1 [0105.001] GetFileType (hFile=0x310) returned 0x1 [0105.001] WriteFile (in: hFile=0x310, lpBuffer=0x12dfd5e0*, nNumberOfBytesToWrite=0x2f800, lpNumberOfBytesWritten=0xefe9c8, lpOverlapped=0x0 | out: lpBuffer=0x12dfd5e0*, lpNumberOfBytesWritten=0xefe9c8*=0x2f800, lpOverlapped=0x0) returned 1 [0105.008] CloseHandle (hObject=0x310) returned 1 [0105.017] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe", nBufferLength=0x105, lpBuffer=0xefe570, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe", lpFilePart=0x0) returned 0x2c [0105.035] CoTaskMemAlloc (cb=0xf) returned 0x11558d0 [0105.043] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xefe9e0) returned 1 [0105.043] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\javas.exe"), fInfoLevelId=0x0, lpFileInformation=0x2d29df8 | out: lpFileInformation=0x2d29df8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x822d5216, ftCreationTime.dwHighDateTime=0x1d6b327, ftLastAccessTime.dwLowDateTime=0x822d5216, ftLastAccessTime.dwHighDateTime=0x1d6b327, ftLastWriteTime.dwLowDateTime=0x822fe94c, ftLastWriteTime.dwHighDateTime=0x1d6b327, nFileSizeHigh=0x0, nFileSizeLow=0x2f800)) returned 1 [0105.044] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xefe9a0) returned 1 [0105.048] CoTaskMemAlloc (cb=0x13) returned 0x11555f0 [0105.110] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe", dwFileAttributes=0x26) returned 1 [0105.115] CoTaskMemAlloc (cb=0xf) returned 0x1155a50 Thread: id = 2 os_tid = 0x11d0 Thread: id = 3 os_tid = 0x117c Thread: id = 4 os_tid = 0x1204 [0083.146] CoGetContextToken (in: pToken=0x1b1ef530 | out: pToken=0x1b1ef530) returned 0x0 [0083.146] CObjectContext::QueryInterface () returned 0x0 [0083.147] CObjectContext::GetCurrentThreadType () returned 0x0 [0083.147] Release () returned 0x0 [0083.147] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0083.147] RoInitialize () returned 0x1 [0083.147] RoUninitialize () returned 0x0 Thread: id = 5 os_tid = 0x368 [0105.370] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0107.577] RoInitialize () returned 0x1 [0107.578] RoUninitialize () returned 0x0 [0107.589] ShellExecuteExW (pExecInfo=0x2d2bf58*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\javas.exe", lpParameters=0x0, lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) Thread: id = 6 os_tid = 0xa24 Thread: id = 7 os_tid = 0xd10 Thread: id = 8 os_tid = 0xac0