# Flog Txt Version 1 # Analyzer Version: 2.2.0 # Analyzer Build Date: Sep 12 2017 16:39:44 # Log Creation Date: 20.09.2017 16:07:28.611 Process: id = "1" image_name = "lxqfwvdqlkd.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe" page_root = "0x66858000" os_pid = "0x9f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 7 start_va = 0x400000 end_va = 0x447fff entry_point = 0x400000 region_type = mapped_file name = "lxqfwvdqlkd.exe" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe") Region: id = 8 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 11 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 12 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 13 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 14 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 15 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 149 start_va = 0x1e0000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 150 start_va = 0x73a70000 end_va = 0x73acbfff entry_point = 0x73a70000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 151 start_va = 0x73ad0000 end_va = 0x73b0efff entry_point = 0x73ad0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 152 start_va = 0x73b40000 end_va = 0x73b47fff entry_point = 0x73b40000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 153 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 154 start_va = 0x75320000 end_va = 0x75365fff entry_point = 0x75320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 155 start_va = 0x765b0000 end_va = 0x766bffff entry_point = 0x765b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 156 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x0 region_type = private name = "private_0x0000000077160000" filename = "" Region: id = 157 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x0 region_type = private name = "private_0x0000000077260000" filename = "" Region: id = 158 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 159 start_va = 0x450000 end_va = 0x4b6fff entry_point = 0x450000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 160 start_va = 0x72940000 end_va = 0x72a92fff entry_point = 0x72940000 region_type = mapped_file name = "msvbvm60.dll" filename = "\\Windows\\SysWOW64\\msvbvm60.dll" (normalized: "c:\\windows\\syswow64\\msvbvm60.dll") Region: id = 161 start_va = 0x750b0000 end_va = 0x750bbfff entry_point = 0x750b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 162 start_va = 0x750c0000 end_va = 0x7511ffff entry_point = 0x750c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 163 start_va = 0x75120000 end_va = 0x7521ffff entry_point = 0x75120000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 164 start_va = 0x75240000 end_va = 0x75258fff entry_point = 0x75240000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 165 start_va = 0x75260000 end_va = 0x7530bfff entry_point = 0x75260000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 166 start_va = 0x753c0000 end_va = 0x754affff entry_point = 0x753c0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 167 start_va = 0x754e0000 end_va = 0x7556ffff entry_point = 0x754e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 168 start_va = 0x75570000 end_va = 0x756cbfff entry_point = 0x75570000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 169 start_va = 0x763e0000 end_va = 0x7646efff entry_point = 0x763e0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 170 start_va = 0x76750000 end_va = 0x76759fff entry_point = 0x76750000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 171 start_va = 0x76760000 end_va = 0x767fffff entry_point = 0x76760000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 172 start_va = 0x76b30000 end_va = 0x76bccfff entry_point = 0x76b30000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 173 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 174 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 175 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 176 start_va = 0x590000 end_va = 0x717fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 177 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 178 start_va = 0x76ad0000 end_va = 0x76b2ffff entry_point = 0x76ad0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 179 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 180 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 181 start_va = 0x720000 end_va = 0x8a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 182 start_va = 0x8b0000 end_va = 0x1caffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 183 start_va = 0x1d70000 end_va = 0x1d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 184 start_va = 0x1d80000 end_va = 0x217ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 185 start_va = 0x2180000 end_va = 0x244efff entry_point = 0x2180000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 186 start_va = 0x2450000 end_va = 0x254ffff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 187 start_va = 0x4f0000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 188 start_va = 0x738b0000 end_va = 0x7392ffff entry_point = 0x738b0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 189 start_va = 0x1cb0000 end_va = 0x1d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 190 start_va = 0x2550000 end_va = 0x262efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002550000" filename = "" Region: id = 191 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 192 start_va = 0x2780000 end_va = 0x278ffff entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 193 start_va = 0x74ec0000 end_va = 0x74f1efff entry_point = 0x74ec0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 194 start_va = 0x73430000 end_va = 0x73442fff entry_point = 0x73430000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 195 start_va = 0x1b0000 end_va = 0x1b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 196 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 197 start_va = 0x2790000 end_va = 0x2b82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002790000" filename = "" Region: id = 198 start_va = 0x2b90000 end_va = 0x34bffff entry_point = 0x2b90000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 199 start_va = 0x74e60000 end_va = 0x74eb0fff entry_point = 0x74e60000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv") Region: id = 200 start_va = 0x2450000 end_va = 0x24fffff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 201 start_va = 0x2510000 end_va = 0x254ffff entry_point = 0x0 region_type = private name = "private_0x0000000002510000" filename = "" Region: id = 202 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 203 start_va = 0x2630000 end_va = 0x272ffff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 204 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 205 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 206 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x1d0000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\msctf.dll.mui") Region: id = 207 start_va = 0x3a0000 end_va = 0x3a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 208 start_va = 0x2450000 end_va = 0x24cffff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 209 start_va = 0x24f0000 end_va = 0x24fffff entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 210 start_va = 0x3a0000 end_va = 0x3a8fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 211 start_va = 0x34c0000 end_va = 0x74bffff entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 212 start_va = 0x75790000 end_va = 0x763d9fff entry_point = 0x75790000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 213 start_va = 0x77100000 end_va = 0x77156fff entry_point = 0x77100000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 214 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Thread: id = 1 os_tid = 0x9f8 [0024.406] GetVersion () returned 0x1db10106 [0024.408] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x765b0000 [0024.431] GetProcAddress (hModule=0x765b0000, lpProcName="IsTNT") returned 0x0 [0024.432] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x1d80000 [0024.433] VirtualAlloc (lpAddress=0x1d80000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x1d80000 [0024.434] GetCurrentThreadId () returned 0x9f8 [0024.434] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" " [0024.434] GetEnvironmentStringsW () returned 0x2b47e0* [0024.434] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0024.434] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x1d707d0, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0024.434] FreeEnvironmentStringsW (penv=0x2b47e0) returned 1 [0024.434] GetStartupInfoA (in: lpStartupInfo=0x18f9b8 | out: lpStartupInfo=0x18f9b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0024.434] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0024.434] GetFileType (hFile=0x0) returned 0x0 [0024.434] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0024.434] GetFileType (hFile=0x0) returned 0x0 [0024.434] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0024.434] GetFileType (hFile=0x0) returned 0x0 [0024.434] SetHandleCount (uNumber=0x20) returned 0x20 [0024.434] GetACP () returned 0x4e4 [0024.434] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9e0 | out: lpCPInfo=0x18f9e0) returned 1 [0024.434] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x72a4c528, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe")) returned 0x35 [0024.435] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x765b0000 [0024.435] GetProcAddress (hModule=0x765b0000, lpProcName="IsProcessorFeaturePresent") returned 0x765c5235 [0024.435] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0024.449] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x7c [0024.449] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x80 [0024.449] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0024.449] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x72a4e6c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0024.449] GetVersion () returned 0x1db10106 [0024.449] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0024.451] GetUserDefaultLCID () returned 0x409 [0024.451] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0024.452] GetSystemMetrics (nIndex=5) returned 1 [0024.452] GetSystemMetrics (nIndex=6) returned 1 [0024.452] GetSystemMetrics (nIndex=11) returned 32 [0024.452] GetSystemMetrics (nIndex=12) returned 32 [0024.452] GetSystemMetrics (nIndex=34) returned 132 [0024.452] GetSystemMetrics (nIndex=35) returned 38 [0024.452] GetSystemMetrics (nIndex=0) returned 1440 [0024.452] GetSystemMetrics (nIndex=1) returned 900 [0024.452] GetSystemMetrics (nIndex=32) returned 8 [0024.452] GetSystemMetrics (nIndex=33) returned 8 [0024.452] GetSystemMetrics (nIndex=42) returned 0 [0024.452] GetStockObject (i=15) returned 0x188000b [0024.452] GetStockObject (i=7) returned 0x1b00017 [0024.452] GetStockObject (i=6) returned 0x1b00018 [0024.452] GetStockObject (i=8) returned 0x1b00016 [0024.452] GetStockObject (i=4) returned 0x1900011 [0024.452] GetStockObject (i=2) returned 0x1900012 [0024.452] GetStockObject (i=0) returned 0x1900010 [0024.452] GetStockObject (i=5) returned 0x1900015 [0024.452] GetStockObject (i=13) returned 0x18a002e [0024.452] GetDC (hWnd=0x0) returned 0x3010888 [0024.452] GetTextExtentPointA (in: hdc=0x3010888, lpString="0", c=1, lpsz=0x18f9dc | out: lpsz=0x18f9dc) returned 1 [0024.454] GetDeviceCaps (hdc=0x3010888, index=14) returned 1 [0024.454] GetDeviceCaps (hdc=0x3010888, index=12) returned 32 [0024.454] GetDeviceCaps (hdc=0x3010888, index=88) returned 96 [0024.454] GetDeviceCaps (hdc=0x3010888, index=90) returned 96 [0024.454] GetDeviceCaps (hdc=0x3010888, index=38) returned 32409 [0024.454] ReleaseDC (hWnd=0x0, hDC=0x3010888) returned 1 [0024.454] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e7d0 | out: ppMalloc=0x72a4e7d0*=0x756b66bc) returned 0x0 [0024.454] GetCurrentThreadId () returned 0x9f8 [0024.455] GetStartupInfoA (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0024.455] GetCurrentThreadId () returned 0x9f8 [0024.455] GetCurrentThreadId () returned 0x9f8 [0024.455] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" " [0024.455] lstrlenA (lpString="") returned 0 [0024.455] lstrcpyA (in: lpString1=0x18feac, lpString2="" | out: lpString1="") returned="" [0024.455] SetErrorMode (uMode=0x8001) returned 0x0 [0024.455] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fb68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0024.455] GetUserDefaultLCID () returned 0x409 [0024.455] lstrcpyA (in: lpString1=0x18f868, lpString2="*" | out: lpString1="*") returned="*" [0024.455] LoadStringA (in: hInstance=0x72940000, uID=0x7d1, lpBuffer=0x18fc6c, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0024.455] GetSystemDefaultLCID () returned 0x409 [0024.455] GetUserDefaultLCID () returned 0x409 [0024.455] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x18fc76, cchData=2 | out: lpLCData=".") returned 2 [0024.455] GetStockObject (i=13) returned 0x18a002e [0024.455] GetObjectA (in: h=0x18a002e, c=60, pv=0x18fc3c | out: pv=0x18fc3c) returned 60 [0024.455] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0024.455] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0024.455] lstrlenA (lpString="{xx}") returned 4 [0024.455] lstrlenA (lpString="VB98.CHM") returned 8 [0024.455] lstrcpyA (in: lpString1=0x72a4eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0024.455] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0024.455] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0024.455] lstrlenA (lpString="{xx}") returned 4 [0024.455] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0024.455] lstrcpyA (in: lpString1=0x72a4ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0024.455] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fd90, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe")) returned 0x35 [0024.455] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0024.456] lstrcpynA (in: lpString1=0x18fb70, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL", iMaxLength=260 | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0024.456] lstrlenA (lpString="C:\\Windows\\system32\\MSVBVM60.DLL") returned 32 [0024.456] lstrcpyA (in: lpString1=0x4f17b0, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL" | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0024.456] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", cchSrc=-1, lpDestStr=0x18fb50, cchDest=260 | out: lpDestStr="C:\\USERS\\5P5NRGJN0JS HALPMCXZ\\DESKTOP\\LXQFWVDQLKD.EXE") returned 54 [0024.456] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fc54, dwRevision=0x1 | out: pSecurityDescriptor=0x18fc54) returned 1 [0024.456] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fc54, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fc54) returned 1 [0024.456] CreateSemaphoreA (lpSemaphoreAttributes=0x18fc68, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?5P5NRGJN0JS HALPMCXZ?DESKTOP?LXQFWVDQLKD.EXE") returned 0x90 [0024.456] GetLastError () returned 0x0 [0024.456] GetVersionExA (in: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0024.456] OleInitialize (pvReserved=0x0) returned 0x0 [0024.518] OaBuildVersion () returned 0x321396 [0024.518] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x763e0000 [0024.518] GetLastError () returned 0x0 [0024.518] GetProcAddress (hModule=0x763e0000, lpProcName="OleLoadPictureEx") returned 0x764470a1 [0024.518] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc144 [0024.518] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0b2 [0024.519] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBFocusRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0024.519] RegisterClassA (lpWndClass=0x18fc34) returned 0xc142 [0024.519] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBBubbleRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0024.519] RegisterClassA (lpWndClass=0x18fc34) returned 0xc13a [0024.519] GetUserDefaultLCID () returned 0x409 [0024.519] GetSystemInfo (in: lpSystemInfo=0x18fbf4 | out: lpSystemInfo=0x18fbf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0024.519] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x1a0000 [0024.520] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.520] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.520] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.521] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.521] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.521] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.521] VirtualProtect (in: lpAddress=0x1a0000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x18fc50 | out: lpflOldProtect=0x18fc50*=0x4) returned 1 [0024.521] GetCurrentProcess () returned 0xffffffff [0024.521] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x1a0000, dwSize=0x6000) returned 1 [0024.521] GlobalAddAtomA (lpString="VBDisabled") returned 0xc0ed [0024.521] GetVersion () returned 0x1db10106 [0024.521] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x763e0000 [0024.521] GetProcAddress (hModule=0x763e0000, lpProcName="DispCallFunc") returned 0x763f3dcf [0024.521] GetProcAddress (hModule=0x763e0000, lpProcName="LoadTypeLibEx") returned 0x763f07b7 [0024.521] GetProcAddress (hModule=0x763e0000, lpProcName="UnRegisterTypeLib") returned 0x76411ca9 [0024.521] GetProcAddress (hModule=0x763e0000, lpProcName="CreateTypeLib2") returned 0x763f8e70 [0024.521] GetProcAddress (hModule=0x763e0000, lpProcName="VarDateFromUdate") returned 0x763f7684 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="VarUdateFromDate") returned 0x763fcc98 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="GetAltMonthNames") returned 0x7642903a [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="VarNumFromParseNum") returned 0x763f6231 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="VarParseNumFromStr") returned 0x763f5fea [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="VarDecFromR4") returned 0x76403f94 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="VarDecFromR8") returned 0x76404e9e [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="VarDecFromDate") returned 0x7642db72 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="VarDecFromI4") returned 0x76412a8c [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="VarDecFromCy") returned 0x7642d737 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="VarR4FromDec") returned 0x7642e015 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x7642cc3d [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="GetRecordInfoFromGuids") returned 0x7642d1c4 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="SafeArrayGetRecordInfo") returned 0x7642d48c [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="SafeArraySetRecordInfo") returned 0x7642d4c6 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="SafeArrayGetIID") returned 0x7642d509 [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="SafeArraySetIID") returned 0x763fe7bb [0024.522] GetProcAddress (hModule=0x763e0000, lpProcName="SafeArrayCopyData") returned 0x763fe496 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x763fddf1 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="SafeArrayCreateEx") returned 0x7642d53f [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarFormat") returned 0x76432055 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarFormatDateTime") returned 0x764320ea [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarFormatNumber") returned 0x76432151 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarFormatPercent") returned 0x764321f5 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarFormatCurrency") returned 0x76432288 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarWeekdayName") returned 0x76432335 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarMonthName") returned 0x764323d5 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarAdd") returned 0x76405934 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarAnd") returned 0x76405a98 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarCat") returned 0x764059b4 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarDiv") returned 0x7645e405 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarEqv") returned 0x7645ef07 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarIdiv") returned 0x7645f00a [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarImp") returned 0x7645ef47 [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarMod") returned 0x7645f15e [0024.523] GetProcAddress (hModule=0x763e0000, lpProcName="VarMul") returned 0x7645dbd4 [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarOr") returned 0x7645ecfa [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarPow") returned 0x7645ea66 [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarSub") returned 0x7645d332 [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarXor") returned 0x7645ee2e [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarAbs") returned 0x7645ca11 [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarFix") returned 0x7645cc5f [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarInt") returned 0x7645cde7 [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarNeg") returned 0x7645c802 [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarNot") returned 0x7645ec66 [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarRound") returned 0x7645d155 [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarCmp") returned 0x763fb0dc [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarDecAdd") returned 0x76415f3e [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarDecCmp") returned 0x76404fd0 [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarBstrCat") returned 0x76400d2c [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarCyMulI4") returned 0x764159ed [0024.524] GetProcAddress (hModule=0x763e0000, lpProcName="VarBstrCmp") returned 0x763ef8b8 [0024.524] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x75570000 [0024.525] GetProcAddress (hModule=0x75570000, lpProcName="CoCreateInstanceEx") returned 0x755b9d4e [0024.525] GetProcAddress (hModule=0x75570000, lpProcName="CLSIDFromProgIDEx") returned 0x75580782 [0024.525] GetSystemMetrics (nIndex=42) returned 0 [0024.525] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e688 | out: ppMalloc=0x72a4e688*=0x756b66bc) returned 0x0 [0024.525] IMalloc:Alloc (This=0x756b66bc, cb=0x4) returned 0x2b8cd0 [0024.525] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f968, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe")) returned 0x35 [0024.525] lstrcatA (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe.cfg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe.cfg" [0024.525] SetLastError (dwErrCode=0x0) [0024.525] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x18f864, lpFilePart=0x18f838 | out: lpBuffer="|ú\x18", lpFilePart=0x18f838) returned 0x0 [0024.526] SetLastError (dwErrCode=0x2) [0024.526] GetLastError () returned 0x2 [0024.526] lstrcmpiA (lpString1="lxqfwvdqlkd", lpString2="MTX") returned -1 [0024.526] lstrcmpiA (lpString1="lxqfwvdqlkd", lpString2="DLLHOST") returned 1 [0024.526] lstrcmpiA (lpString1="lxqfwvdqlkd", lpString2="INETINFO") returned 1 [0024.526] lstrcmpiA (lpString1="lxqfwvdqlkd", lpString2="W3WP") returned -1 [0024.526] lstrcmpiA (lpString1="lxqfwvdqlkd", lpString2="ASPNET_WP") returned 1 [0024.526] lstrcmpiA (lpString1="lxqfwvdqlkd", lpString2="DLLHST3G") returned 1 [0024.526] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f95c, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe")) returned 0x35 [0024.526] lstrcmpiA (lpString1="lxqfwvdqlkd", lpString2="IEXPLORE") returned 1 [0024.526] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x74ec0000 [0024.544] GetLastError () returned 0x0 [0024.544] GetProcAddress (hModule=0x74ec0000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x74f07685 [0024.544] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18feac, cbMultiByte=-1, lpWideCharStr=0x18fea8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0024.544] CoRegisterMessageFilter (in: lpMessageFilter=0x4f2054, lplpMessageFilter=0x4f205c | out: lplpMessageFilter=0x4f205c*=0x0) returned 0x0 [0024.544] IUnknown:AddRef (This=0x4f2054) returned 0x2 [0024.544] GetClassInfoExA (in: hInstance=0x72940000, lpszClass="ThunderRT6Main", lpwcx=0x18fe78 | out: lpwcx=0x18fe78) returned 0 [0024.544] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0x7006b [0024.545] GetModuleHandleA (lpModuleName="USER32") returned 0x75120000 [0024.545] GetProcAddress (hModule=0x75120000, lpProcName="GetSystemMetrics") returned 0x75137d2f [0024.545] GetProcAddress (hModule=0x75120000, lpProcName="MonitorFromWindow") returned 0x75143150 [0024.545] GetProcAddress (hModule=0x75120000, lpProcName="MonitorFromRect") returned 0x7515e7a0 [0024.545] GetProcAddress (hModule=0x75120000, lpProcName="MonitorFromPoint") returned 0x75145281 [0024.545] GetProcAddress (hModule=0x75120000, lpProcName="EnumDisplayMonitors") returned 0x7514451a [0024.545] GetProcAddress (hModule=0x75120000, lpProcName="GetMonitorInfoA") returned 0x75144413 [0024.545] GetSystemMetrics (nIndex=0) returned 1440 [0024.545] GetSystemMetrics (nIndex=78) returned 1440 [0024.545] GetSystemMetrics (nIndex=1) returned 900 [0024.545] GetSystemMetrics (nIndex=79) returned 900 [0024.545] GetSystemMetrics (nIndex=50) returned 16 [0024.545] GetSystemMetrics (nIndex=49) returned 16 [0024.545] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0x201e1 [0024.546] RegisterClassExA (param_1=0x18fe78) returned 0x8ec13c [0024.546] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x60130 [0024.546] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x81, wParam=0x0, lParam=0x18fa5c) returned 0x1 [0024.547] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x83, wParam=0x0, lParam=0x18fa48) returned 0x0 [0024.547] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x1, wParam=0x0, lParam=0x18fa5c) returned 0x0 [0024.547] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0024.547] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0024.547] MonitorFromWindow (hwnd=0x60130, dwFlags=0x2) returned 0x10001 [0024.547] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x18fe80 | out: lpmi=0x18fe80) returned 1 [0024.547] SetWindowPos (hWnd=0x60130, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0024.547] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x46, wParam=0x0, lParam=0x18fe20) returned 0x0 [0024.548] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x47, wParam=0x0, lParam=0x18fe20) returned 0x0 [0024.548] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0024.548] ShowWindow (hWnd=0x60130, nCmdShow=4) returned 0 [0024.548] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0024.548] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x46, wParam=0x0, lParam=0x18fe34) returned 0x0 [0024.548] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x47, wParam=0x0, lParam=0x18fe34) returned 0x0 [0024.548] GetWindowThreadProcessId (in: hWnd=0x60130, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x9f8 [0024.548] VirtualQuery (in: lpAddress=0x18fea8, lpBuffer=0x18fe8c, dwLength=0x1c | out: lpBuffer=0x18fe8c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0024.548] GetUserDefaultLCID () returned 0x409 [0024.548] IsValidCodePage (CodePage=0x3a4) returned 1 [0024.550] IsValidCodePage (CodePage=0x3b5) returned 1 [0024.571] IsValidCodePage (CodePage=0x3b6) returned 1 [0024.594] IsValidCodePage (CodePage=0x3a8) returned 1 [0024.598] GetUserDefaultLangID () returned 0x409 [0024.598] GetSystemDefaultLangID () returned 0x2b0409 [0024.598] GetSystemMetrics (nIndex=42) returned 0 [0024.598] IMalloc:Alloc (This=0x756b66bc, cb=0xa8) returned 0x2bd3c0 [0024.598] IMalloc:GetSize (This=0x756b66bc, pv=0x2bd3c0) returned 0xa8 [0024.598] IMalloc:Alloc (This=0x756b66bc, cb=0xc) returned 0x2bca48 [0024.598] GetCurrentThreadId () returned 0x9f8 [0024.598] IMalloc:Alloc (This=0x756b66bc, cb=0x3c) returned 0x2b9be0 [0024.598] IMalloc:Alloc (This=0x756b66bc, cb=0x1c) returned 0x2b94a8 [0024.598] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fe74 | out: phkResult=0x18fe74*=0x0) returned 0x2 [0024.599] IMalloc:Alloc (This=0x756b66bc, cb=0x1c) returned 0x2b94d0 [0024.599] GetCurrentThreadId () returned 0x9f8 [0024.599] SetWindowsHookExA (idHook=-1, lpfn=0x729a1e09, hmod=0x0, dwThreadId=0x9f8) returned 0x20205 [0024.599] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x18fdcc | out: lpWndClass=0x18fdcc) returned 0 [0024.599] RegisterClassA (lpWndClass=0x18fdcc) returned 0x98c13d [0024.599] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x50128 [0024.599] NtdllDefWindowProc_A (hWnd=0x50128, Msg=0x81, wParam=0x0, lParam=0x18fa08) returned 0x1 [0024.599] NtdllDefWindowProc_A (hWnd=0x50128, Msg=0x83, wParam=0x0, lParam=0x18f9f4) returned 0x0 [0024.599] NtdllDefWindowProc_A (hWnd=0x50128, Msg=0x1, wParam=0x0, lParam=0x18fa08) returned 0x0 [0024.599] NtdllDefWindowProc_A (hWnd=0x50128, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0024.599] NtdllDefWindowProc_A (hWnd=0x50128, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0024.599] SetWindowLongA (hWnd=0x50128, nIndex=0, dwNewLong=5185692) returned 0 [0024.599] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0024.599] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0024.599] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0024.599] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0024.599] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0024.599] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0024.599] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0024.600] CreateCompatibleDC (hdc=0x0) returned 0xf010878 [0024.600] GetCurrentObject (hdc=0xf010878, type=0x7) returned 0x185000f [0024.600] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x60130, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x50126 [0024.600] NtdllDefWindowProc_A (hWnd=0x50126, Msg=0x81, wParam=0x0, lParam=0x18fa98) returned 0x1 [0024.600] NtdllDefWindowProc_A (hWnd=0x50126, Msg=0x83, wParam=0x0, lParam=0x18fa84) returned 0x0 [0024.600] NtdllDefWindowProc_A (hWnd=0x50126, Msg=0x1, wParam=0x0, lParam=0x18fa98) returned 0x0 [0024.600] NtdllDefWindowProc_A (hWnd=0x50126, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0024.600] NtdllDefWindowProc_A (hWnd=0x50126, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0024.600] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x210, wParam=0x1, lParam=0x50126) returned 0x0 [0024.600] GetCurrentThreadId () returned 0x9f8 [0024.600] GetCurrentThreadId () returned 0x9f8 [0024.600] lstrlenA (lpString="VB") returned 2 [0024.600] lstrlenA (lpString="CommandButton") returned 13 [0024.601] lstrlenA (lpString="VB") returned 2 [0024.601] lstrlenA (lpString="Printer") returned 7 [0024.601] lstrlenA (lpString="VB") returned 2 [0024.601] lstrlenA (lpString="Form") returned 4 [0024.602] lstrlenA (lpString="VB") returned 2 [0024.602] lstrlenA (lpString="Screen") returned 6 [0024.602] lstrlenA (lpString="VB") returned 2 [0024.602] lstrlenA (lpString="Clipboard") returned 9 [0024.602] lstrlenA (lpString="VB") returned 2 [0024.602] lstrlenA (lpString="MDIForm") returned 7 [0024.602] lstrlenA (lpString="VB") returned 2 [0024.602] lstrlenA (lpString="App") returned 3 [0024.602] lstrlenA (lpString="VB") returned 2 [0024.602] lstrlenA (lpString="UserControl") returned 11 [0024.603] lstrlenA (lpString="VB") returned 2 [0024.603] lstrlenA (lpString="PropertyPage") returned 12 [0024.603] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0024.603] lstrlenA (lpString="VB") returned 2 [0024.603] lstrlenA (lpString="UserDocument") returned 12 [0024.604] GetCurrentThreadId () returned 0x9f8 [0024.604] GetCurrentThreadId () returned 0x9f8 [0024.605] GetCurrentThreadId () returned 0x9f8 [0024.605] GetCurrentThreadId () returned 0x9f8 [0024.605] GetCurrentThreadId () returned 0x9f8 [0024.605] GetCurrentThreadId () returned 0x9f8 [0024.605] lstrlenA (lpString="VB") returned 2 [0024.605] lstrlenA (lpString="PictureBox") returned 10 [0024.605] lstrlenA (lpString="VB") returned 2 [0024.605] lstrlenA (lpString="Label") returned 5 [0024.606] lstrlenA (lpString="VB") returned 2 [0024.606] lstrlenA (lpString="TextBox") returned 7 [0024.606] lstrlenA (lpString="VB") returned 2 [0024.606] lstrlenA (lpString="Frame") returned 5 [0024.606] lstrlenA (lpString="VB") returned 2 [0024.606] lstrlenA (lpString="CheckBox") returned 8 [0024.607] lstrlenA (lpString="VB") returned 2 [0024.607] lstrlenA (lpString="OptionButton") returned 12 [0024.607] lstrlenA (lpString="VB") returned 2 [0024.607] lstrlenA (lpString="ComboBox") returned 8 [0024.607] lstrlenA (lpString="VB") returned 2 [0024.607] lstrlenA (lpString="ListBox") returned 7 [0024.608] lstrlenA (lpString="VB") returned 2 [0024.608] lstrlenA (lpString="HScrollBar") returned 10 [0024.608] lstrlenA (lpString="VB") returned 2 [0024.608] lstrlenA (lpString="VScrollBar") returned 10 [0024.608] lstrlenA (lpString="VB") returned 2 [0024.608] lstrlenA (lpString="Timer") returned 5 [0024.609] lstrlenA (lpString="VB") returned 2 [0024.609] lstrlenA (lpString="DriveListBox") returned 12 [0024.609] lstrlenA (lpString="VB") returned 2 [0024.609] lstrlenA (lpString="DirListBox") returned 10 [0024.610] lstrlenA (lpString="VB") returned 2 [0024.610] lstrlenA (lpString="FileListBox") returned 11 [0024.610] lstrlenA (lpString="VB") returned 2 [0024.610] lstrlenA (lpString="Menu") returned 4 [0024.610] lstrlenA (lpString="VB") returned 2 [0024.610] lstrlenA (lpString="Shape") returned 5 [0024.610] lstrlenA (lpString="VB") returned 2 [0024.610] lstrlenA (lpString="Line") returned 4 [0024.611] lstrlenA (lpString="VB") returned 2 [0024.611] lstrlenA (lpString="Image") returned 5 [0024.611] lstrlenA (lpString="VB") returned 2 [0024.611] lstrlenA (lpString="Data") returned 4 [0024.611] lstrlenA (lpString="VB") returned 2 [0024.611] lstrlenA (lpString="OLE") returned 3 [0024.612] IMalloc:Alloc (This=0x756b66bc, cb=0x64) returned 0x2b8ce0 [0024.612] IMalloc:Alloc (This=0x756b66bc, cb=0x64) returned 0x2be470 [0024.612] IMalloc:Alloc (This=0x756b66bc, cb=0x64) returned 0x2be4e0 [0024.612] IMalloc:Alloc (This=0x756b66bc, cb=0x64) returned 0x2be550 [0024.612] IMalloc:Alloc (This=0x756b66bc, cb=0xc) returned 0x2bca60 [0024.612] IMalloc:Alloc (This=0x756b66bc, cb=0x68) returned 0x2be5c0 [0024.612] IMalloc:GetSize (This=0x756b66bc, pv=0x2be5c0) returned 0x68 [0024.612] IMalloc:Alloc (This=0x756b66bc, cb=0x20) returned 0x2b9688 [0024.613] GetCurrentThreadId () returned 0x9f8 [0024.613] GetCurrentThreadId () returned 0x9f8 [0024.613] IMalloc:Alloc (This=0x756b66bc, cb=0x1c) returned 0x2b96b0 [0024.613] VirtualProtect (in: lpAddress=0x1a0000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x20) returned 1 [0024.613] GetCurrentProcess () returned 0xffffffff [0024.613] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x1a0000, dwSize=0x6000) returned 1 [0024.613] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.613] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.613] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.614] VirtualAlloc (lpAddress=0x1a0000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0024.614] VirtualProtect (in: lpAddress=0x1a0000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x4) returned 1 [0024.614] GetCurrentProcess () returned 0xffffffff [0024.614] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x1a0000, dwSize=0xa000) returned 1 [0024.614] GetCurrentThreadId () returned 0x9f8 [0024.620] GetCurrentThreadId () returned 0x9f8 [0024.621] SetWindowTextA (hWnd=0x60130, lpString="Saberbill8") returned 1 [0024.621] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0xc, wParam=0x0, lParam=0x18fd6c) returned 0x1 [0024.621] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fd54 | out: phkResult=0x18fd54*=0x0) returned 0x2 [0024.633] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0024.633] VirtualQuery (in: lpAddress=0x18f780, lpBuffer=0x18f764, dwLength=0x1c | out: lpBuffer=0x18f764*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0024.634] IMalloc:Alloc (This=0x756b66bc, cb=0x64) returned 0x2be660 [0024.634] IMalloc:GetSize (This=0x756b66bc, pv=0x2be660) returned 0x64 [0024.667] GetCurrentThreadId () returned 0x9f8 [0024.667] GetCurrentThreadId () returned 0x9f8 [0024.667] GetCurrentThreadId () returned 0x9f8 [0024.689] GetCurrentThreadId () returned 0x9f8 [0024.689] GetCurrentThreadId () returned 0x9f8 [0024.689] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xb4 [0024.695] GetVersionExA (in: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x14f5d0c, dwMinorVersion=0x18f9cc, dwBuildNumber=0x18fd00, dwPlatformId=0x18ff70, szCSDVersion="Í\x1e]w\x95\r>") | out: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0024.695] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0024.696] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x72992cd8, cbMultiByte=-1, lpWideCharStr=0x18faa4, cchWideChar=14 | out: lpWideCharStr="MS Sans Serif") returned 14 [0024.697] OleCreateFontIndirect () returned 0x0 [0024.699] lstrlenA (lpString="Southlander") returned 11 [0024.699] LoadIconA (hInstance=0x72940000, lpIconName=0x4b1) returned 0x201e3 [0024.705] OleCreatePictureIndirect () returned 0x0 [0024.708] lstrlenA (lpString="Southlander") returned 11 [0024.708] lstrlenA (lpString="ThunderRT6") returned 10 [0024.708] lstrcpyA (in: lpString1=0x18fab8, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0024.708] lstrlenA (lpString="ThunderRT6Form") returned 14 [0024.708] lstrcpynA (in: lpString1=0x18fac6, lpString2="DC", iMaxLength=116 | out: lpString1="DC") returned="DC" [0024.708] lstrlenA (lpString="ThunderRT6") returned 10 [0024.708] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0024.708] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6Form", lpWndClass=0x18fa78 | out: lpWndClass=0x18fa78) returned 0 [0024.708] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0024.708] RegisterClassA (lpWndClass=0x18fa78) returned 0xd9c13f [0024.708] lstrlenA (lpString="ThunderRT6") returned 10 [0024.708] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0024.708] lstrlenA (lpString="ThunderRT6Form") returned 14 [0024.708] lstrcpynA (in: lpString1=0x18fa5a, lpString2="DC", iMaxLength=29 | out: lpString1="DC") returned="DC" [0024.708] RegisterClassA (lpWndClass=0x18fa78) returned 0xc143 [0024.708] AdjustWindowRectEx (in: lpRect=0x18fb78, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x18fb78) returned 1 [0024.708] CreateWindowExA (dwExStyle=0x0, lpClassName=0xc143, lpWindowName="Southlander", dwStyle=0x2cf0000, X=265, Y=252, nWidth=151, nHeight=78, hWndParent=0x60130, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x201c6 [0024.709] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x81, wParam=0x0, lParam=0x18f69c) returned 0x1 [0024.709] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x83, wParam=0x0, lParam=0x18f688) returned 0x0 [0024.723] GetSystemMenu (hWnd=0x201c6, bRevert=0) returned 0x201dd [0024.724] SetWindowContextHelpId (param_1=0x201c6, param_2=0xffffffff) returned 1 [0024.724] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x1, wParam=0x0, lParam=0x18f69c) returned 0x0 [0024.724] GetDC (hWnd=0x201c6) returned 0x760107e6 [0024.724] GetTextMetricsA (in: hdc=0x760107e6, lptm=0x18fa64 | out: lptm=0x18fa64) returned 1 [0024.724] SetBkMode (hdc=0x760107e6, mode=1) returned 2 [0024.729] OleTranslateColor () returned 0x0 [0024.729] SetBkColor (hdc=0x760107e6, color=0xf0f0f0) returned 0xffffff [0024.729] OleTranslateColor () returned 0x0 [0024.729] SetTextColor (hdc=0x760107e6, color=0x0) returned 0x0 [0024.729] OleTranslateColor () returned 0x0 [0024.729] CreatePen (iStyle=0, cWidth=1, color=0x0) returned 0xc300824 [0024.729] SelectObject (hdc=0x760107e6, h=0xc300824) returned 0x1b00017 [0024.729] SelectObject (hdc=0x760107e6, h=0x1900011) returned 0x1900010 [0024.729] ClientToScreen (in: hWnd=0x201c6, lpPoint=0x18fa44 | out: lpPoint=0x18fa44) returned 1 [0024.729] SetBrushOrgEx (in: hdc=0x760107e6, x=1, y=2, lppt=0x0 | out: lppt=0x0) returned 1 [0024.729] UnrealizeObject (h=0x1900015) returned 1 [0024.729] SelectObject (hdc=0x760107e6, h=0x1900015) returned 0x1900011 [0024.729] SelectObject (hdc=0x760107e6, h=0xa0a0884) returned 0x18a002e [0024.729] GetTextMetricsA (in: hdc=0x760107e6, lptm=0x18f858 | out: lptm=0x18f858) returned 1 [0024.730] lstrlenA (lpString="Southlander") returned 11 [0024.730] lstrlenA (lpString="ThunderRT6") returned 10 [0024.730] lstrcpyA (in: lpString1=0x18fa88, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0024.730] lstrlenA (lpString="ThunderRT6") returned 10 [0024.730] lstrcpyA (in: lpString1=0x18fa1c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0024.731] GetClassInfoA (in: hInstance=0x0, lpClassName="Button", lpWndClass=0x18fa48 | out: lpWndClass=0x18fa48) returned 1 [0024.731] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6CommandButton", lpWndClass=0x18fa48 | out: lpWndClass=0x18fa48) returned 0 [0024.731] RegisterClassA (lpWndClass=0x18fa48) returned 0xc139 [0024.731] CreateWindowExA (dwExStyle=0x4, lpClassName=0xc139, lpWindowName="Southlander", dwStyle=0x44012000, X=528, Y=296, nWidth=265, nHeight=145, hWndParent=0x201c6, hMenu=0x1, hInstance=0x72940000, lpParam=0x0) returned 0x201c8 [0024.731] CallWindowProcA (lpPrevWndFunc=0x775dabd3, hWnd=0x201c8, Msg=0x81, wParam=0x0, lParam=0x18f66c) returned 0x1 [0024.731] CallWindowProcA (lpPrevWndFunc=0x775dabd3, hWnd=0x201c8, Msg=0x83, wParam=0x0, lParam=0x18f658) returned 0x0 [0024.731] CallWindowProcA (lpPrevWndFunc=0x775dabd3, hWnd=0x201c8, Msg=0x1, wParam=0x0, lParam=0x18f66c) returned 0x0 [0024.731] CallWindowProcA (lpPrevWndFunc=0x775dabd3, hWnd=0x201c8, Msg=0x5, wParam=0x0, lParam=0x910109) returned 0x0 [0024.731] CallWindowProcA (lpPrevWndFunc=0x775dabd3, hWnd=0x201c8, Msg=0x3, wParam=0x0, lParam=0x1280210) returned 0x0 [0024.731] CallWindowProcA (lpPrevWndFunc=0x775dabd3, hWnd=0x201c8, Msg=0x30, wParam=0xa0a0884, lParam=0x0) returned 0x0 [0024.732] ShowWindow (hWnd=0x201c8, nCmdShow=5) returned 0 [0024.732] CallWindowProcA (lpPrevWndFunc=0x775dabd3, hWnd=0x201c8, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0024.732] GetClientRect (in: hWnd=0x201c6, lpRect=0x18fbf8 | out: lpRect=0x18fbf8) returned 1 [0024.732] MapWindowPoints (in: hWndFrom=0x201c6, hWndTo=0x0, lpPoints=0x18fbf8, cPoints=0x2 | out: lpPoints=0x18fbf8) returned 18481425 [0024.732] EqualRect (lprc1=0x18fbf8, lprc2=0x18fbd8) returned 1 [0024.732] SetEvent (hEvent=0xb4) returned 1 [0024.732] IsIconic (hWnd=0x201c6) returned 0 [0024.732] SendMessageA (hWnd=0x201c6, Msg=0x80, wParam=0x1, lParam=0x201e3) returned 0x0 [0024.732] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x80, wParam=0x1, lParam=0x201e3) returned 0x0 [0024.741] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x201db [0024.743] IsIconic (hWnd=0x201c6) returned 0 [0024.743] IsZoomed (hWnd=0x201c6) returned 0 [0024.743] GetClientRect (in: hWnd=0x201c6, lpRect=0x18fbec | out: lpRect=0x18fbec) returned 1 [0024.743] GetWindow (hWnd=0x201c6, uCmd=0x5) returned 0x201c8 [0024.743] GetWindow (hWnd=0x201c8, uCmd=0x2) returned 0x0 [0024.743] GetParent (hWnd=0x201c8) returned 0x201c6 [0024.743] SetErrorMode (uMode=0x8001) returned 0x8001 [0024.743] LoadLibraryA (lpLibFileName="ADVAPI32.DLL") returned 0x76760000 [0024.743] SetErrorMode (uMode=0x8001) returned 0x8001 [0024.744] GetProcAddress (hModule=0x76760000, lpProcName="CloseEventLog") returned 0x767677c3 [0024.744] CloseEventLog (hEventLog=0x0) returned 0 [0024.744] GetLastError () returned 0x6 [0024.744] SetErrorMode (uMode=0x8001) returned 0x8001 [0024.744] LoadLibraryA (lpLibFileName="ADVAPI32.DLL") returned 0x76760000 [0024.744] SetErrorMode (uMode=0x8001) returned 0x8001 [0024.749] GetProcAddress (hModule=0x76760000, lpProcName="SetAclInformation") returned 0x767a34e3 [0024.750] SetAclInformation (in: pAcl=0x18fa78, pAclInformation=0x18fa7c, nAclInformationLength=0x0, dwAclInformationClass=0x0 | out: pAcl=0x18fa78) returned 0 [0024.750] GetLastError () returned 0x57 [0024.750] SetErrorMode (uMode=0x8001) returned 0x8001 [0024.751] LoadLibraryA (lpLibFileName="user32") returned 0x75120000 [0024.751] SetErrorMode (uMode=0x8001) returned 0x8001 [0024.751] GetProcAddress (hModule=0x75120000, lpProcName="CreateDialogIndirectParamA") returned 0x7514b029 [0024.751] CreateDialogIndirectParamA (hInstance=0x0, lpTemplate=0x18fa78, hWndParent=0x0, lpDialogFunc=0x0, dwInitParam=0x0) returned 0x0 [0024.793] GetLastError () returned 0x715 [0024.793] GetUserDefaultLCID () returned 0x409 [0024.793] VarBstrFromI2 (iVal=0, lcid=0x409, dwFlags=0x0, pbstrOut=0x18fa3c) returned 0x0 [0024.816] SysStringLen (param_1="0") returned 0x1 [0024.816] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0024.816] SysStringLen (param_1="0") returned 0x1 [0024.816] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=2, lpMultiByteStr=0x2bcb0c, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0024.817] GetUserDefaultLCID () returned 0x409 [0024.817] VarBstrFromI2 (iVal=0, lcid=0x409, dwFlags=0x0, pbstrOut=0x18fa38) returned 0x0 [0024.817] SysStringLen (param_1="0") returned 0x1 [0024.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0024.817] SysStringLen (param_1="0") returned 0x1 [0024.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=2, lpMultiByteStr=0x2bcb54, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0024.817] GetUserDefaultLCID () returned 0x409 [0024.817] VarBstrFromI2 (iVal=0, lcid=0x409, dwFlags=0x0, pbstrOut=0x18fa34) returned 0x0 [0024.817] SysStringLen (param_1="0") returned 0x1 [0024.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0024.817] SysStringLen (param_1="0") returned 0x1 [0024.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=2, lpMultiByteStr=0x2bcb84, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0024.817] SetErrorMode (uMode=0x8001) returned 0x8001 [0024.817] LoadLibraryA (lpLibFileName="winspool.drv") returned 0x74e60000 [0024.842] SetErrorMode (uMode=0x8001) returned 0x8001 [0024.842] GetProcAddress (hModule=0x74e60000, lpProcName="DeletePrintProcessorA") returned 0x74e68aff [0024.842] DeletePrintProcessorA (pName="0", pEnvironment="0", pPrintProcessorName="0") returned 0 [0025.028] GetLastError () returned 0x7b [0025.028] GetCurrentThreadId () returned 0x9f8 [0025.028] GetCurrentThreadId () returned 0x9f8 [0025.028] GetCurrentThreadId () returned 0x9f8 [0025.029] SetWindowTextA (hWnd=0x60130, lpString="Saberbill8") returned 1 [0025.029] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0xc, wParam=0x0, lParam=0x501fe0) returned 0x1 [0025.029] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18f8a8, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe")) returned 0x35 [0025.029] lstrcpynA (in: lpString1=0x18f794, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", iMaxLength=260 | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" [0025.029] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe") returned 53 [0025.029] lstrcpyA (in: lpString1=0x50b490, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" [0025.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x50b510, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 38 [0025.030] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x50b510, cbMultiByte=-1, lpWideCharStr=0x316b74, cchWideChar=38 | out: lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 38 [0025.030] SysStringLen (param_1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0025.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchWideChar=38, lpMultiByteStr=0x316bcc, cbMultiByte=75, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpUsedDefaultChar=0x0) returned 38 [0025.030] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0025.030] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0xc, wParam=0x0, lParam=0x316bcc) returned 0x1 [0025.030] GetWindowLongA (hWnd=0x201c6, nIndex=-16) returned 114229248 [0025.030] GetWindowLongA (hWnd=0x201c6, nIndex=-20) returned 256 [0025.030] GetClientRect (in: hWnd=0x201c6, lpRect=0x18f98c | out: lpRect=0x18f98c) returned 1 [0025.030] MapWindowPoints (in: hWndFrom=0x201c6, hWndTo=0x0, lpPoints=0x18f98c, cPoints=0x2 | out: lpPoints=0x18f98c) returned 18481425 [0025.031] SetWindowLongA (hWnd=0x201c6, nIndex=-16, dwNewLong=114229248) returned 114229248 [0025.031] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x7c, wParam=0xfffffff0, lParam=0x18f918) returned 0x0 [0025.031] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x7d, wParam=0xfffffff0, lParam=0x18f918) returned 0x0 [0025.031] SetWindowLongA (hWnd=0x201c6, nIndex=-20, dwNewLong=256) returned 256 [0025.031] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x7c, wParam=0xffffffec, lParam=0x18f918) returned 0x0 [0025.031] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x7d, wParam=0xffffffec, lParam=0x18f918) returned 0x0 [0025.031] GetClientRect (in: hWnd=0x201c6, lpRect=0x18f954 | out: lpRect=0x18f954) returned 1 [0025.031] MapWindowPoints (in: hWndFrom=0x201c6, hWndTo=0x0, lpPoints=0x18f954, cPoints=0x2 | out: lpPoints=0x18f954) returned 18481425 [0025.031] EqualRect (lprc1=0x18f954, lprc2=0x18f98c) returned 1 [0025.032] GetClientRect (in: hWnd=0x201c6, lpRect=0x18f918 | out: lpRect=0x18f918) returned 1 [0025.032] OleTranslateColor () returned 0x0 [0025.032] OleTranslateColor () returned 0x0 [0025.032] CreateSolidBrush (color=0xff) returned 0x1910020a [0025.032] OleTranslateColor () returned 0x0 [0025.032] OleTranslateColor () returned 0x0 [0025.032] SetTextColor (hdc=0x760107e6, color=0x0) returned 0x0 [0025.032] SetBkColor (hdc=0x760107e6, color=0xff) returned 0xf0f0f0 [0025.032] FillRect (hDC=0x760107e6, lprc=0x18f918, hbr=0x1910020a) returned 1 [0025.032] SetTextColor (hdc=0x760107e6, color=0x0) returned 0x0 [0025.032] SetBkColor (hdc=0x760107e6, color=0xf0f0f0) returned 0xff [0025.032] OleTranslateColor () returned 0x0 [0025.033] SetBkColor (hdc=0x760107e6, color=0xff) returned 0xf0f0f0 [0025.033] GetCurrentProcessId () returned 0x9f4 [0025.033] PeekMessageA (in: lpMsg=0x18f97c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18f97c) returned 0 [0025.033] GetTickCount () returned 0xe889 [0025.033] GetTickCount () returned 0xe889 [0025.033] GetTickCount () returned 0xe889 [0025.077] CoFreeUnusedLibraries () [0025.077] GetTickCount () returned 0xe8b8 [0025.077] GetTickCount () returned 0xe8b8 [0025.078] IsWindowVisible (hWnd=0x201c6) returned 0 [0025.078] Sleep (dwMilliseconds=0x0) [0025.078] SetWindowPos (hWnd=0x201c6, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0025.078] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x46, wParam=0x0, lParam=0x18f57c) returned 0x0 [0025.078] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x46, wParam=0x0, lParam=0x18f57c) returned 0x0 [0025.078] GetWindow (hWnd=0x201c6, uCmd=0x0) returned 0x3013c [0025.079] GetWindow (hWnd=0x3013c, uCmd=0x2) returned 0x3013a [0025.079] GetWindow (hWnd=0x3013a, uCmd=0x2) returned 0x10142 [0025.079] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x200ce [0025.079] GetWindow (hWnd=0x200ce, uCmd=0x2) returned 0x200e8 [0025.079] GetWindow (hWnd=0x200e8, uCmd=0x2) returned 0x200f8 [0025.079] GetWindow (hWnd=0x200f8, uCmd=0x2) returned 0x200e6 [0025.079] GetWindow (hWnd=0x200e6, uCmd=0x2) returned 0x1012e [0025.079] GetWindow (hWnd=0x1012e, uCmd=0x2) returned 0x1007c [0025.079] GetWindow (hWnd=0x1007c, uCmd=0x2) returned 0x1007a [0025.079] GetWindow (hWnd=0x1007a, uCmd=0x2) returned 0x10066 [0025.079] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10092 [0025.079] GetWindow (hWnd=0x10092, uCmd=0x2) returned 0x10084 [0025.079] GetWindow (hWnd=0x10084, uCmd=0x2) returned 0x10082 [0025.079] GetWindow (hWnd=0x10082, uCmd=0x2) returned 0x1007e [0025.079] GetWindow (hWnd=0x1007e, uCmd=0x2) returned 0x1005c [0025.079] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10058 [0025.079] GetWindow (hWnd=0x10058, uCmd=0x2) returned 0x1005e [0025.079] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005a [0025.079] GetWindow (hWnd=0x1005a, uCmd=0x2) returned 0x10124 [0025.079] GetWindow (hWnd=0x10124, uCmd=0x2) returned 0x10122 [0025.079] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x100f4 [0025.080] GetWindow (hWnd=0x100f4, uCmd=0x2) returned 0x5009c [0025.080] GetWindow (hWnd=0x5009c, uCmd=0x2) returned 0x10094 [0025.080] GetWindow (hWnd=0x10094, uCmd=0x2) returned 0x101ba [0025.080] GetWindow (hWnd=0x101ba, uCmd=0x2) returned 0x101b8 [0025.080] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x50128 [0025.080] GetWindow (hWnd=0x50128, uCmd=0x2) returned 0x201c6 [0025.080] IsWindowVisible (hWnd=0x201c6) returned 0 [0025.080] GetWindow (hWnd=0x201c6, uCmd=0x2) returned 0x40134 [0025.080] GetWindow (hWnd=0x40134, uCmd=0x2) returned 0x60130 [0025.080] GetWindow (hWnd=0x60130, uCmd=0x2) returned 0x101c2 [0025.080] GetWindow (hWnd=0x101c2, uCmd=0x2) returned 0x101c4 [0025.080] GetWindow (hWnd=0x101c4, uCmd=0x2) returned 0x101b6 [0025.080] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101b2 [0025.080] GetWindow (hWnd=0x101b2, uCmd=0x2) returned 0x101b4 [0025.080] GetWindow (hWnd=0x101b4, uCmd=0x2) returned 0x101b0 [0025.080] GetWindow (hWnd=0x101b0, uCmd=0x2) returned 0x101ae [0025.080] GetWindow (hWnd=0x101ae, uCmd=0x2) returned 0x101ac [0025.081] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x101aa [0025.081] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x101a8 [0025.081] GetWindow (hWnd=0x101a8, uCmd=0x2) returned 0x101a4 [0025.081] GetWindow (hWnd=0x101a4, uCmd=0x2) returned 0x101a6 [0025.081] GetWindow (hWnd=0x101a6, uCmd=0x2) returned 0x101a0 [0025.081] GetWindow (hWnd=0x101a0, uCmd=0x2) returned 0x101a2 [0025.081] GetWindow (hWnd=0x101a2, uCmd=0x2) returned 0x1019c [0025.081] GetWindow (hWnd=0x1019c, uCmd=0x2) returned 0x1019e [0025.081] GetWindow (hWnd=0x1019e, uCmd=0x2) returned 0x10198 [0025.081] GetWindow (hWnd=0x10198, uCmd=0x2) returned 0x1019a [0025.081] GetWindow (hWnd=0x1019a, uCmd=0x2) returned 0x10194 [0025.081] GetWindow (hWnd=0x10194, uCmd=0x2) returned 0x10196 [0025.081] GetWindow (hWnd=0x10196, uCmd=0x2) returned 0x10190 [0025.081] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x10192 [0025.081] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x2018e [0025.082] GetWindow (hWnd=0x2018e, uCmd=0x2) returned 0x20188 [0025.082] GetWindow (hWnd=0x20188, uCmd=0x2) returned 0x1018a [0025.082] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x1018c [0025.082] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1017a [0025.082] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x1017c [0025.082] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x10176 [0025.082] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10178 [0025.082] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x10172 [0025.082] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x10174 [0025.082] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x1016e [0025.082] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10170 [0025.082] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x1016a [0025.082] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x1016c [0025.082] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x10166 [0025.082] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10168 [0025.082] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x10162 [0025.083] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x10164 [0025.083] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x1015e [0025.083] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x10160 [0025.083] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x1017e [0025.083] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x30156 [0025.083] GetWindow (hWnd=0x30156, uCmd=0x2) returned 0x1014c [0025.083] GetWindow (hWnd=0x1014c, uCmd=0x2) returned 0x1014a [0025.083] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x20140 [0025.083] GetWindow (hWnd=0x20140, uCmd=0x2) returned 0x20024 [0025.083] GetWindow (hWnd=0x20024, uCmd=0x2) returned 0x10136 [0025.083] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x20028 [0025.083] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x2001e [0025.083] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x2001c [0025.083] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0025.083] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200d2 [0025.083] GetWindow (hWnd=0x200d2, uCmd=0x2) returned 0x200c2 [0025.083] GetWindow (hWnd=0x200c2, uCmd=0x2) returned 0x200b0 [0025.084] GetWindow (hWnd=0x200b0, uCmd=0x2) returned 0x200b2 [0025.084] GetWindow (hWnd=0x200b2, uCmd=0x2) returned 0x200b6 [0025.084] GetWindow (hWnd=0x200b6, uCmd=0x2) returned 0x200be [0025.084] GetWindow (hWnd=0x200be, uCmd=0x2) returned 0x300cc [0025.084] GetWindow (hWnd=0x300cc, uCmd=0x2) returned 0x400a0 [0025.084] GetWindow (hWnd=0x400a0, uCmd=0x2) returned 0x10112 [0025.084] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10114 [0025.084] GetWindow (hWnd=0x10114, uCmd=0x2) returned 0x1010a [0025.084] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x10110 [0025.084] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x300fe [0025.084] GetWindow (hWnd=0x300fe, uCmd=0x2) returned 0x1010e [0025.084] GetWindow (hWnd=0x1010e, uCmd=0x2) returned 0x10108 [0025.084] GetWindow (hWnd=0x10108, uCmd=0x2) returned 0x10106 [0025.084] GetWindow (hWnd=0x10106, uCmd=0x2) returned 0x10102 [0025.084] GetWindow (hWnd=0x10102, uCmd=0x2) returned 0x100fc [0025.085] GetWindow (hWnd=0x100fc, uCmd=0x2) returned 0x50096 [0025.085] GetWindow (hWnd=0x50096, uCmd=0x2) returned 0x1008a [0025.085] GetWindow (hWnd=0x1008a, uCmd=0x2) returned 0x10088 [0025.085] GetWindow (hWnd=0x10088, uCmd=0x2) returned 0x10080 [0025.085] GetWindow (hWnd=0x10080, uCmd=0x2) returned 0x1006e [0025.085] GetWindow (hWnd=0x1006e, uCmd=0x2) returned 0x1006a [0025.085] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10056 [0025.085] GetWindow (hWnd=0x10056, uCmd=0x2) returned 0x1004e [0025.085] GetWindow (hWnd=0x1004e, uCmd=0x2) returned 0x2004a [0025.085] GetWindow (hWnd=0x2004a, uCmd=0x2) returned 0x1004c [0025.085] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x30044 [0025.085] GetWindow (hWnd=0x30044, uCmd=0x2) returned 0x10048 [0025.085] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10046 [0025.085] GetWindow (hWnd=0x10046, uCmd=0x2) returned 0x1011e [0025.085] GetWindow (hWnd=0x1011e, uCmd=0x2) returned 0x1011c [0025.085] GetWindow (hWnd=0x1011c, uCmd=0x2) returned 0x100ec [0025.085] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x0 [0025.086] GetCurrentProcessId () returned 0x9f4 [0025.086] PeekMessageA (in: lpMsg=0x18f97c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18f97c) returned 0 [0025.086] GetTickCount () returned 0xe8b8 [0025.086] GetTickCount () returned 0xe8b8 [0025.086] GetTickCount () returned 0xe8b8 [0025.086] GetTickCount () returned 0xe8b8 [0025.089] IsWindowVisible (hWnd=0x201c6) returned 0 [0025.089] Sleep (dwMilliseconds=0x0) [0025.089] IsWindowVisible (hWnd=0x201c6) returned 0 [0025.089] ShowWindow (hWnd=0x201c6, nCmdShow=0) returned 0 [0031.498] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.498] LoadLibraryA (lpLibFileName="user32") returned 0x75120000 [0031.508] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.508] GetProcAddress (hModule=0x75120000, lpProcName="CreateWindowExA") returned 0x7513d22e [0031.508] CreateWindowExA (dwExStyle=0x80, lpClassName="STATIC", lpWindowName="çSÌ¥\x92Ë\x1fhÑ\x94Ã7\x1e¯¸X ²B", dwStyle=0x0, X=1488498462, Y=935564497, nWidth=1746914194, nHeight=-1513335833, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x301d0 [0031.509] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.509] LoadLibraryA (lpLibFileName="user32") returned 0x75120000 [0031.509] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.509] GetProcAddress (hModule=0x75120000, lpProcName="ShowWindow") returned 0x75140dfb [0031.509] ShowWindow (hWnd=0x301d0, nCmdShow=1) returned 0 [0031.510] GetWindowLongA (hWnd=0x50128, nIndex=0) returned 5185692 [0031.510] NtdllDefWindowProc_A (hWnd=0x201c6, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0031.510] NtdllDefWindowProc_A (hWnd=0x60130, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0031.567] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.568] LoadLibraryA (lpLibFileName="Msvbvm60.dll") returned 0x72940000 [0031.568] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.568] GetProcAddress (hModule=0x72940000, lpProcName="rtcDoEvents") returned 0x72a0e0f7 [0031.568] GetCurrentProcessId () returned 0x9f4 [0031.568] PeekMessageA (in: lpMsg=0x18f8a8, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18f8a8) returned 1 [0031.568] TranslateMessage (lpMsg=0x18f8a8) returned 0 [0031.568] DispatchMessageA (lpMsg=0x18f8a8) returned 0x0 [0031.568] PeekMessageA (in: lpMsg=0x18f824, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x18f824) returned 0 [0031.568] GetTickCount () returned 0x10212 [0031.568] IsWindowVisible (hWnd=0x201c6) returned 0 [0031.568] Sleep (dwMilliseconds=0x0) [0031.568] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.568] LoadLibraryA (lpLibFileName="user32") returned 0x75120000 [0031.569] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.569] GetProcAddress (hModule=0x75120000, lpProcName="EnumWindows") returned 0x7513d1cf [0031.569] EnumWindows (lpEnumFunc=0x42b8e9, lParam=0x18f974) returned 1 [0031.570] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.570] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0031.570] SetErrorMode (uMode=0x8001) returned 0x8001 [0031.571] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualAlloc") returned 0x765c1856 [0031.571] VirtualAlloc (lpAddress=0x0, dwSize=0x8300, flAllocationType=0x1000, flProtect=0x40) returned 0x3a0000 [0040.192] SetErrorMode (uMode=0x8001) returned 0x8001 [0040.192] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0040.192] SetErrorMode (uMode=0x8001) returned 0x8001 [0040.192] GetProcAddress (hModule=0x765b0000, lpProcName="GetTickCount") returned 0x765c110c [0040.192] SetErrorMode (uMode=0x8001) returned 0x8001 [0040.192] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0040.192] SetErrorMode (uMode=0x8001) returned 0x8001 [0040.192] GetProcAddress (hModule=0x765b0000, lpProcName="Sleep") returned 0x765c10ff [0040.192] GetTickCount () returned 0x12396 [0040.192] Sleep (dwMilliseconds=0x7d0) [0042.191] GetTickCount () returned 0x12b72 [0042.191] SetErrorMode (uMode=0x8001) returned 0x8001 [0042.191] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0042.191] SetErrorMode (uMode=0x8001) returned 0x8001 [0042.191] GetProcAddress (hModule=0x765b0000, lpProcName="SetErrorMode") returned 0x765c1b00 [0042.191] SetErrorMode (uMode=0x800) returned 0x8001 [0042.191] SetErrorMode (uMode=0x0) returned 0x800 [0042.191] SetErrorMode (uMode=0x8001) returned 0x0 [0042.191] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0042.192] SetErrorMode (uMode=0x0) returned 0x8001 [0042.192] GetProcAddress (hModule=0x765b0000, lpProcName="SetLastError") returned 0x765c11a9 [0042.192] SetLastError (dwErrCode=0x5) [0042.192] SetErrorMode (uMode=0x8001) returned 0x0 [0042.192] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0042.192] SetErrorMode (uMode=0x0) returned 0x8001 [0042.192] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualAllocEx") returned 0x765dd9b0 [0042.192] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x4000000, flAllocationType=0x3000, flProtect=0x40) returned 0x34c0000 [0042.194] SetErrorMode (uMode=0x8001) returned 0x0 [0042.194] LoadLibraryA (lpLibFileName="user32") returned 0x75120000 [0042.194] SetErrorMode (uMode=0x0) returned 0x8001 [0042.195] GetProcAddress (hModule=0x75120000, lpProcName="GetCursorPos") returned 0x75141218 [0042.195] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.195] Sleep (dwMilliseconds=0x1) [0042.206] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.206] Sleep (dwMilliseconds=0x1) [0042.223] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.223] Sleep (dwMilliseconds=0x1) [0042.237] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.237] Sleep (dwMilliseconds=0x1) [0042.253] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.253] Sleep (dwMilliseconds=0x1) [0042.268] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.268] Sleep (dwMilliseconds=0x1) [0042.284] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.284] Sleep (dwMilliseconds=0x1) [0042.301] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.301] Sleep (dwMilliseconds=0x1) [0042.316] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.316] Sleep (dwMilliseconds=0x1) [0042.331] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.331] Sleep (dwMilliseconds=0x1) [0042.346] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.346] Sleep (dwMilliseconds=0x1) [0042.362] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.362] Sleep (dwMilliseconds=0x1) [0042.378] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.378] Sleep (dwMilliseconds=0x1) [0042.400] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.400] Sleep (dwMilliseconds=0x1) [0042.409] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.409] Sleep (dwMilliseconds=0x1) [0042.434] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.434] Sleep (dwMilliseconds=0x1) [0042.448] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.448] Sleep (dwMilliseconds=0x1) [0042.466] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.466] Sleep (dwMilliseconds=0x1) [0042.508] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.508] Sleep (dwMilliseconds=0x1) [0042.518] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.518] Sleep (dwMilliseconds=0x1) [0042.540] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.540] Sleep (dwMilliseconds=0x1) [0042.551] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.551] Sleep (dwMilliseconds=0x1) [0042.565] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.565] Sleep (dwMilliseconds=0x1) [0042.580] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.580] Sleep (dwMilliseconds=0x1) [0042.596] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.596] Sleep (dwMilliseconds=0x1) [0042.613] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.613] Sleep (dwMilliseconds=0x1) [0042.627] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.627] Sleep (dwMilliseconds=0x1) [0042.643] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.643] Sleep (dwMilliseconds=0x1) [0042.658] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.658] Sleep (dwMilliseconds=0x1) [0042.712] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.712] Sleep (dwMilliseconds=0x1) [0042.721] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.721] Sleep (dwMilliseconds=0x1) [0042.736] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.736] Sleep (dwMilliseconds=0x1) [0042.752] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.752] Sleep (dwMilliseconds=0x1) [0042.767] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.768] Sleep (dwMilliseconds=0x1) [0042.783] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.783] Sleep (dwMilliseconds=0x1) [0042.799] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.799] Sleep (dwMilliseconds=0x1) [0042.814] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.814] Sleep (dwMilliseconds=0x1) [0042.830] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.830] Sleep (dwMilliseconds=0x1) [0042.846] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.846] Sleep (dwMilliseconds=0x1) [0042.861] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.861] Sleep (dwMilliseconds=0x1) [0042.877] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.877] Sleep (dwMilliseconds=0x1) [0042.892] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.892] Sleep (dwMilliseconds=0x1) [0042.908] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.908] Sleep (dwMilliseconds=0x1) [0042.924] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.924] Sleep (dwMilliseconds=0x1) [0042.939] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.939] Sleep (dwMilliseconds=0x1) [0042.955] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.955] Sleep (dwMilliseconds=0x1) [0042.970] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.970] Sleep (dwMilliseconds=0x1) [0042.987] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0042.987] Sleep (dwMilliseconds=0x1) [0043.002] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.002] Sleep (dwMilliseconds=0x1) [0043.017] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.017] Sleep (dwMilliseconds=0x1) [0043.033] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.033] Sleep (dwMilliseconds=0x1) [0043.048] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.048] Sleep (dwMilliseconds=0x1) [0043.064] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.064] Sleep (dwMilliseconds=0x1) [0043.080] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.080] Sleep (dwMilliseconds=0x1) [0043.097] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.097] Sleep (dwMilliseconds=0x1) [0043.111] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.111] Sleep (dwMilliseconds=0x1) [0043.127] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.127] Sleep (dwMilliseconds=0x1) [0043.142] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.142] Sleep (dwMilliseconds=0x1) [0043.158] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.158] Sleep (dwMilliseconds=0x1) [0043.173] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.173] Sleep (dwMilliseconds=0x1) [0043.189] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.189] Sleep (dwMilliseconds=0x1) [0043.204] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.204] Sleep (dwMilliseconds=0x1) [0043.220] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.220] Sleep (dwMilliseconds=0x1) [0043.236] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.236] Sleep (dwMilliseconds=0x1) [0043.251] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.251] Sleep (dwMilliseconds=0x1) [0043.267] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.267] Sleep (dwMilliseconds=0x1) [0043.283] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.283] Sleep (dwMilliseconds=0x1) [0043.298] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.298] Sleep (dwMilliseconds=0x1) [0043.314] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.314] Sleep (dwMilliseconds=0x1) [0043.329] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.329] Sleep (dwMilliseconds=0x1) [0043.345] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.345] Sleep (dwMilliseconds=0x1) [0043.360] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.360] Sleep (dwMilliseconds=0x1) [0043.376] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.376] Sleep (dwMilliseconds=0x1) [0043.391] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.392] Sleep (dwMilliseconds=0x1) [0043.407] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.407] Sleep (dwMilliseconds=0x1) [0043.423] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.423] Sleep (dwMilliseconds=0x1) [0043.439] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.439] Sleep (dwMilliseconds=0x1) [0043.454] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.454] Sleep (dwMilliseconds=0x1) [0043.470] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.470] Sleep (dwMilliseconds=0x1) [0043.485] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.485] Sleep (dwMilliseconds=0x1) [0043.501] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.501] Sleep (dwMilliseconds=0x1) [0043.525] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.525] Sleep (dwMilliseconds=0x1) [0043.536] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.536] Sleep (dwMilliseconds=0x1) [0043.548] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.548] Sleep (dwMilliseconds=0x1) [0043.563] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.563] Sleep (dwMilliseconds=0x1) [0043.579] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.579] Sleep (dwMilliseconds=0x1) [0043.594] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.594] Sleep (dwMilliseconds=0x1) [0043.610] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.610] Sleep (dwMilliseconds=0x1) [0043.625] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.626] Sleep (dwMilliseconds=0x1) [0043.641] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.641] Sleep (dwMilliseconds=0x1) [0043.657] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.657] Sleep (dwMilliseconds=0x1) [0043.672] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.672] Sleep (dwMilliseconds=0x1) [0043.688] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.688] Sleep (dwMilliseconds=0x1) [0043.704] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.704] Sleep (dwMilliseconds=0x1) [0043.719] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.719] Sleep (dwMilliseconds=0x1) [0043.735] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.735] Sleep (dwMilliseconds=0x1) [0043.751] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.751] Sleep (dwMilliseconds=0x1) [0043.766] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.766] Sleep (dwMilliseconds=0x1) [0043.782] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.782] Sleep (dwMilliseconds=0x1) [0043.797] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.797] Sleep (dwMilliseconds=0x1) [0043.814] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.814] Sleep (dwMilliseconds=0x1) [0043.828] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.828] Sleep (dwMilliseconds=0x1) [0043.844] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.844] Sleep (dwMilliseconds=0x1) [0043.860] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.860] Sleep (dwMilliseconds=0x1) [0043.875] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.875] Sleep (dwMilliseconds=0x1) [0043.891] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.891] Sleep (dwMilliseconds=0x1) [0043.907] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.907] Sleep (dwMilliseconds=0x1) [0043.922] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.922] Sleep (dwMilliseconds=0x1) [0043.938] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.938] Sleep (dwMilliseconds=0x1) [0043.953] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.953] Sleep (dwMilliseconds=0x1) [0043.969] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.969] Sleep (dwMilliseconds=0x1) [0043.984] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0043.984] Sleep (dwMilliseconds=0x1) [0044.000] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.000] Sleep (dwMilliseconds=0x1) [0044.015] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.016] Sleep (dwMilliseconds=0x1) [0044.031] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.031] Sleep (dwMilliseconds=0x1) [0044.047] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.047] Sleep (dwMilliseconds=0x1) [0044.062] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.062] Sleep (dwMilliseconds=0x1) [0044.078] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.078] Sleep (dwMilliseconds=0x1) [0044.094] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.094] Sleep (dwMilliseconds=0x1) [0044.109] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.109] Sleep (dwMilliseconds=0x1) [0044.126] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.126] Sleep (dwMilliseconds=0x1) [0044.140] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.140] Sleep (dwMilliseconds=0x1) [0044.156] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.156] Sleep (dwMilliseconds=0x1) [0044.171] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.171] Sleep (dwMilliseconds=0x1) [0044.187] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.187] Sleep (dwMilliseconds=0x1) [0044.204] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.204] Sleep (dwMilliseconds=0x1) [0044.218] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.219] Sleep (dwMilliseconds=0x1) [0044.234] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.234] Sleep (dwMilliseconds=0x1) [0044.250] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.250] Sleep (dwMilliseconds=0x1) [0044.265] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.265] Sleep (dwMilliseconds=0x1) [0044.281] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.281] Sleep (dwMilliseconds=0x1) [0044.297] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.297] Sleep (dwMilliseconds=0x1) [0044.312] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.312] Sleep (dwMilliseconds=0x1) [0044.328] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.328] Sleep (dwMilliseconds=0x1) [0044.343] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.343] Sleep (dwMilliseconds=0x1) [0044.359] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.359] Sleep (dwMilliseconds=0x1) [0044.374] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.375] Sleep (dwMilliseconds=0x1) [0044.390] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.390] Sleep (dwMilliseconds=0x1) [0044.406] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.406] Sleep (dwMilliseconds=0x1) [0044.421] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.421] Sleep (dwMilliseconds=0x1) [0044.437] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.437] Sleep (dwMilliseconds=0x1) [0044.452] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.452] Sleep (dwMilliseconds=0x1) [0044.468] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.468] Sleep (dwMilliseconds=0x1) [0044.485] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.485] Sleep (dwMilliseconds=0x1) [0044.499] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.499] Sleep (dwMilliseconds=0x1) [0044.515] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.515] Sleep (dwMilliseconds=0x1) [0044.542] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.542] Sleep (dwMilliseconds=0x1) [0044.546] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.546] Sleep (dwMilliseconds=0x1) [0044.562] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.562] Sleep (dwMilliseconds=0x1) [0044.577] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.577] Sleep (dwMilliseconds=0x1) [0044.594] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.594] Sleep (dwMilliseconds=0x1) [0044.608] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.608] Sleep (dwMilliseconds=0x1) [0044.624] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.624] Sleep (dwMilliseconds=0x1) [0044.640] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.640] Sleep (dwMilliseconds=0x1) [0044.655] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.655] Sleep (dwMilliseconds=0x1) [0044.671] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.671] Sleep (dwMilliseconds=0x1) [0044.686] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.686] Sleep (dwMilliseconds=0x1) [0044.702] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.702] Sleep (dwMilliseconds=0x1) [0044.718] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.718] Sleep (dwMilliseconds=0x1) [0044.733] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.733] Sleep (dwMilliseconds=0x1) [0044.749] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.749] Sleep (dwMilliseconds=0x1) [0044.764] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.764] Sleep (dwMilliseconds=0x1) [0044.780] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.780] Sleep (dwMilliseconds=0x1) [0044.795] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.796] Sleep (dwMilliseconds=0x1) [0044.811] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.811] Sleep (dwMilliseconds=0x1) [0044.827] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.827] Sleep (dwMilliseconds=0x1) [0044.843] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.843] Sleep (dwMilliseconds=0x1) [0044.858] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.858] Sleep (dwMilliseconds=0x1) [0044.874] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.874] Sleep (dwMilliseconds=0x1) [0044.889] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.889] Sleep (dwMilliseconds=0x1) [0044.905] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.905] Sleep (dwMilliseconds=0x1) [0044.920] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.920] Sleep (dwMilliseconds=0x1) [0044.936] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.936] Sleep (dwMilliseconds=0x1) [0044.952] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.952] Sleep (dwMilliseconds=0x1) [0044.967] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.967] Sleep (dwMilliseconds=0x1) [0044.984] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.984] Sleep (dwMilliseconds=0x1) [0044.998] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0044.998] Sleep (dwMilliseconds=0x1) [0045.014] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.014] Sleep (dwMilliseconds=0x1) [0045.030] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.030] Sleep (dwMilliseconds=0x1) [0045.045] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.045] Sleep (dwMilliseconds=0x1) [0045.061] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.061] Sleep (dwMilliseconds=0x1) [0045.076] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.077] Sleep (dwMilliseconds=0x1) [0045.092] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.092] Sleep (dwMilliseconds=0x1) [0045.108] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.108] Sleep (dwMilliseconds=0x1) [0045.123] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.123] Sleep (dwMilliseconds=0x1) [0045.139] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.139] Sleep (dwMilliseconds=0x1) [0045.154] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.155] Sleep (dwMilliseconds=0x1) [0045.170] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.170] Sleep (dwMilliseconds=0x1) [0045.186] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.186] Sleep (dwMilliseconds=0x1) [0045.201] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.201] Sleep (dwMilliseconds=0x1) [0045.217] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.217] Sleep (dwMilliseconds=0x1) [0045.232] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.232] Sleep (dwMilliseconds=0x1) [0045.248] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.248] Sleep (dwMilliseconds=0x1) [0045.264] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.264] Sleep (dwMilliseconds=0x1) [0045.279] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.279] Sleep (dwMilliseconds=0x1) [0045.295] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.295] Sleep (dwMilliseconds=0x1) [0045.310] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.310] Sleep (dwMilliseconds=0x1) [0045.326] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.326] Sleep (dwMilliseconds=0x1) [0045.342] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.342] Sleep (dwMilliseconds=0x1) [0045.357] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.357] Sleep (dwMilliseconds=0x1) [0045.374] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.374] Sleep (dwMilliseconds=0x1) [0045.388] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.388] Sleep (dwMilliseconds=0x1) [0045.404] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.404] Sleep (dwMilliseconds=0x1) [0045.420] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.420] Sleep (dwMilliseconds=0x1) [0045.435] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.435] Sleep (dwMilliseconds=0x1) [0045.451] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.451] Sleep (dwMilliseconds=0x1) [0045.466] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.466] Sleep (dwMilliseconds=0x1) [0045.482] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.482] Sleep (dwMilliseconds=0x1) [0045.516] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.516] Sleep (dwMilliseconds=0x1) [0045.529] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.529] Sleep (dwMilliseconds=0x1) [0045.557] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.557] Sleep (dwMilliseconds=0x1) [0045.560] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.560] Sleep (dwMilliseconds=0x1) [0045.576] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.576] Sleep (dwMilliseconds=0x1) [0045.591] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.591] Sleep (dwMilliseconds=0x1) [0045.607] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.607] Sleep (dwMilliseconds=0x1) [0045.622] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.623] Sleep (dwMilliseconds=0x1) [0045.638] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.638] Sleep (dwMilliseconds=0x1) [0045.654] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.654] Sleep (dwMilliseconds=0x1) [0045.669] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.669] Sleep (dwMilliseconds=0x1) [0045.685] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.685] Sleep (dwMilliseconds=0x1) [0045.700] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.700] Sleep (dwMilliseconds=0x1) [0045.716] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.716] Sleep (dwMilliseconds=0x1) [0045.732] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.732] Sleep (dwMilliseconds=0x1) [0045.747] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.747] Sleep (dwMilliseconds=0x1) [0045.763] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.763] Sleep (dwMilliseconds=0x1) [0045.779] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.779] Sleep (dwMilliseconds=0x1) [0045.794] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.794] Sleep (dwMilliseconds=0x1) [0045.810] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.810] Sleep (dwMilliseconds=0x1) [0045.825] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.825] Sleep (dwMilliseconds=0x1) [0045.841] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.841] Sleep (dwMilliseconds=0x1) [0045.856] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.856] Sleep (dwMilliseconds=0x1) [0045.881] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.881] Sleep (dwMilliseconds=0x1) [0045.889] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.889] Sleep (dwMilliseconds=0x1) [0045.905] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.905] Sleep (dwMilliseconds=0x1) [0045.920] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.920] Sleep (dwMilliseconds=0x1) [0045.936] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.937] Sleep (dwMilliseconds=0x1) [0045.951] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.951] Sleep (dwMilliseconds=0x1) [0045.967] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.967] Sleep (dwMilliseconds=0x1) [0045.982] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.982] Sleep (dwMilliseconds=0x1) [0045.997] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0045.997] Sleep (dwMilliseconds=0x1) [0046.012] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.012] Sleep (dwMilliseconds=0x1) [0046.028] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.028] Sleep (dwMilliseconds=0x1) [0046.044] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.044] Sleep (dwMilliseconds=0x1) [0046.059] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.059] Sleep (dwMilliseconds=0x1) [0046.075] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.075] Sleep (dwMilliseconds=0x1) [0046.090] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.090] Sleep (dwMilliseconds=0x1) [0046.106] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.106] Sleep (dwMilliseconds=0x1) [0046.122] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.122] Sleep (dwMilliseconds=0x1) [0046.137] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.137] Sleep (dwMilliseconds=0x1) [0046.153] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.153] Sleep (dwMilliseconds=0x1) [0046.169] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.169] Sleep (dwMilliseconds=0x1) [0046.184] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.184] Sleep (dwMilliseconds=0x1) [0046.200] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.200] Sleep (dwMilliseconds=0x1) [0046.215] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.215] Sleep (dwMilliseconds=0x1) [0046.231] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.231] Sleep (dwMilliseconds=0x1) [0046.246] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.246] Sleep (dwMilliseconds=0x1) [0046.262] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.262] Sleep (dwMilliseconds=0x1) [0046.277] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.278] Sleep (dwMilliseconds=0x1) [0046.300] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.300] Sleep (dwMilliseconds=0x1) [0046.309] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.309] Sleep (dwMilliseconds=0x1) [0046.332] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.332] Sleep (dwMilliseconds=0x1) [0046.340] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.340] Sleep (dwMilliseconds=0x1) [0046.356] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.356] Sleep (dwMilliseconds=0x1) [0046.371] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.372] Sleep (dwMilliseconds=0x1) [0046.387] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.387] Sleep (dwMilliseconds=0x1) [0046.402] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.402] Sleep (dwMilliseconds=0x1) [0046.418] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.418] Sleep (dwMilliseconds=0x1) [0046.434] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.434] Sleep (dwMilliseconds=0x1) [0046.450] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.450] Sleep (dwMilliseconds=0x1) [0046.468] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.468] Sleep (dwMilliseconds=0x1) [0046.481] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.481] Sleep (dwMilliseconds=0x1) [0046.496] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.496] Sleep (dwMilliseconds=0x1) [0046.513] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.513] Sleep (dwMilliseconds=0x1) [0046.527] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.527] Sleep (dwMilliseconds=0x1) [0046.553] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.553] Sleep (dwMilliseconds=0x1) [0046.559] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.559] Sleep (dwMilliseconds=0x1) [0046.574] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.574] Sleep (dwMilliseconds=0x1) [0046.589] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.590] Sleep (dwMilliseconds=0x1) [0046.605] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.605] Sleep (dwMilliseconds=0x1) [0046.621] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.621] Sleep (dwMilliseconds=0x1) [0046.637] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.637] Sleep (dwMilliseconds=0x1) [0046.657] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.657] Sleep (dwMilliseconds=0x1) [0046.672] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.672] Sleep (dwMilliseconds=0x1) [0046.683] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.683] Sleep (dwMilliseconds=0x1) [0046.700] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.700] Sleep (dwMilliseconds=0x1) [0046.714] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.715] Sleep (dwMilliseconds=0x1) [0046.730] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.730] Sleep (dwMilliseconds=0x1) [0046.746] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.746] Sleep (dwMilliseconds=0x1) [0046.774] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.775] Sleep (dwMilliseconds=0x1) [0046.777] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.777] Sleep (dwMilliseconds=0x1) [0046.812] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.812] Sleep (dwMilliseconds=0x1) [0046.824] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.824] Sleep (dwMilliseconds=0x1) [0046.839] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.839] Sleep (dwMilliseconds=0x1) [0046.855] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.855] Sleep (dwMilliseconds=0x1) [0046.870] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.870] Sleep (dwMilliseconds=0x1) [0046.886] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.886] Sleep (dwMilliseconds=0x1) [0046.902] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.902] Sleep (dwMilliseconds=0x1) [0046.917] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.917] Sleep (dwMilliseconds=0x1) [0046.933] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.933] Sleep (dwMilliseconds=0x1) [0046.950] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.950] Sleep (dwMilliseconds=0x1) [0046.964] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.964] Sleep (dwMilliseconds=0x1) [0046.980] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.980] Sleep (dwMilliseconds=0x1) [0046.995] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0046.996] Sleep (dwMilliseconds=0x1) [0047.011] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.011] Sleep (dwMilliseconds=0x1) [0047.026] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.026] Sleep (dwMilliseconds=0x1) [0047.042] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.042] Sleep (dwMilliseconds=0x1) [0047.058] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.058] Sleep (dwMilliseconds=0x1) [0047.073] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.073] Sleep (dwMilliseconds=0x1) [0047.089] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.089] Sleep (dwMilliseconds=0x1) [0047.104] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.104] Sleep (dwMilliseconds=0x1) [0047.120] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.120] Sleep (dwMilliseconds=0x1) [0047.136] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.136] Sleep (dwMilliseconds=0x1) [0047.151] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.151] Sleep (dwMilliseconds=0x1) [0047.167] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.167] Sleep (dwMilliseconds=0x1) [0047.182] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.182] Sleep (dwMilliseconds=0x1) [0047.198] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.198] Sleep (dwMilliseconds=0x1) [0047.213] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.214] Sleep (dwMilliseconds=0x1) [0047.229] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.229] Sleep (dwMilliseconds=0x1) [0047.245] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.245] Sleep (dwMilliseconds=0x1) [0047.260] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.260] Sleep (dwMilliseconds=0x1) [0047.276] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.276] Sleep (dwMilliseconds=0x1) [0047.292] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.292] Sleep (dwMilliseconds=0x1) [0047.307] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.307] Sleep (dwMilliseconds=0x1) [0047.323] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.323] Sleep (dwMilliseconds=0x1) [0047.347] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.347] Sleep (dwMilliseconds=0x1) [0047.359] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.359] Sleep (dwMilliseconds=0x1) [0047.375] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.375] Sleep (dwMilliseconds=0x1) [0047.389] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.389] Sleep (dwMilliseconds=0x1) [0047.401] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.401] Sleep (dwMilliseconds=0x1) [0047.416] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.416] Sleep (dwMilliseconds=0x1) [0047.432] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.432] Sleep (dwMilliseconds=0x1) [0047.448] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.448] Sleep (dwMilliseconds=0x1) [0047.463] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.463] Sleep (dwMilliseconds=0x1) [0047.479] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.479] Sleep (dwMilliseconds=0x1) [0047.494] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.494] Sleep (dwMilliseconds=0x1) [0047.510] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.510] Sleep (dwMilliseconds=0x1) [0047.525] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.526] Sleep (dwMilliseconds=0x1) [0047.544] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.544] Sleep (dwMilliseconds=0x1) [0047.557] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.557] Sleep (dwMilliseconds=0x1) [0047.572] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.572] Sleep (dwMilliseconds=0x1) [0047.588] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.588] Sleep (dwMilliseconds=0x1) [0047.604] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.604] Sleep (dwMilliseconds=0x1) [0047.619] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.619] Sleep (dwMilliseconds=0x1) [0047.635] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.635] Sleep (dwMilliseconds=0x1) [0047.650] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.651] Sleep (dwMilliseconds=0x1) [0047.671] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.671] Sleep (dwMilliseconds=0x1) [0047.682] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.682] Sleep (dwMilliseconds=0x1) [0047.697] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.698] Sleep (dwMilliseconds=0x1) [0047.714] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.714] Sleep (dwMilliseconds=0x1) [0047.729] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.729] Sleep (dwMilliseconds=0x1) [0047.744] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.744] Sleep (dwMilliseconds=0x1) [0047.760] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.760] Sleep (dwMilliseconds=0x1) [0047.775] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.775] Sleep (dwMilliseconds=0x1) [0047.791] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.791] Sleep (dwMilliseconds=0x1) [0047.806] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.806] Sleep (dwMilliseconds=0x1) [0047.822] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.822] Sleep (dwMilliseconds=0x1) [0047.838] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.838] Sleep (dwMilliseconds=0x1) [0047.853] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.853] Sleep (dwMilliseconds=0x1) [0047.869] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.869] Sleep (dwMilliseconds=0x1) [0047.884] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.884] Sleep (dwMilliseconds=0x1) [0047.900] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.900] Sleep (dwMilliseconds=0x1) [0047.915] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.916] Sleep (dwMilliseconds=0x1) [0047.931] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.931] Sleep (dwMilliseconds=0x1) [0047.947] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.947] Sleep (dwMilliseconds=0x1) [0047.962] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.962] Sleep (dwMilliseconds=0x1) [0047.978] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.978] Sleep (dwMilliseconds=0x1) [0047.994] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0047.994] Sleep (dwMilliseconds=0x1) [0048.009] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.009] Sleep (dwMilliseconds=0x1) [0048.025] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.025] Sleep (dwMilliseconds=0x1) [0048.041] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.041] Sleep (dwMilliseconds=0x1) [0048.056] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.056] Sleep (dwMilliseconds=0x1) [0048.072] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.072] Sleep (dwMilliseconds=0x1) [0048.087] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.087] Sleep (dwMilliseconds=0x1) [0048.103] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.103] Sleep (dwMilliseconds=0x1) [0048.118] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.118] Sleep (dwMilliseconds=0x1) [0048.134] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.134] Sleep (dwMilliseconds=0x1) [0048.149] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.149] Sleep (dwMilliseconds=0x1) [0048.165] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.165] Sleep (dwMilliseconds=0x1) [0048.181] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.181] Sleep (dwMilliseconds=0x1) [0048.196] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.196] Sleep (dwMilliseconds=0x1) [0048.212] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.212] Sleep (dwMilliseconds=0x1) [0048.228] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.228] Sleep (dwMilliseconds=0x1) [0048.243] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.243] Sleep (dwMilliseconds=0x1) [0048.259] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.259] Sleep (dwMilliseconds=0x1) [0048.274] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.274] Sleep (dwMilliseconds=0x1) [0048.290] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.290] Sleep (dwMilliseconds=0x1) [0048.306] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.306] Sleep (dwMilliseconds=0x1) [0048.321] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.321] Sleep (dwMilliseconds=0x1) [0048.337] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.337] Sleep (dwMilliseconds=0x1) [0048.353] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.353] Sleep (dwMilliseconds=0x1) [0048.368] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.368] Sleep (dwMilliseconds=0x1) [0048.384] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.384] Sleep (dwMilliseconds=0x1) [0048.399] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.399] Sleep (dwMilliseconds=0x1) [0048.415] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.415] Sleep (dwMilliseconds=0x1) [0048.430] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.430] Sleep (dwMilliseconds=0x1) [0048.446] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.446] Sleep (dwMilliseconds=0x1) [0048.462] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.462] Sleep (dwMilliseconds=0x1) [0048.477] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.477] Sleep (dwMilliseconds=0x1) [0048.494] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.494] Sleep (dwMilliseconds=0x1) [0048.508] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.508] Sleep (dwMilliseconds=0x1) [0048.526] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.526] Sleep (dwMilliseconds=0x1) [0048.545] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.545] Sleep (dwMilliseconds=0x1) [0048.555] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.555] Sleep (dwMilliseconds=0x1) [0048.572] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.572] Sleep (dwMilliseconds=0x1) [0048.586] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.586] Sleep (dwMilliseconds=0x1) [0048.602] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.602] Sleep (dwMilliseconds=0x1) [0048.618] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.618] Sleep (dwMilliseconds=0x1) [0048.633] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.633] Sleep (dwMilliseconds=0x1) [0048.649] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.649] Sleep (dwMilliseconds=0x1) [0048.669] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.669] Sleep (dwMilliseconds=0x1) [0048.680] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.680] Sleep (dwMilliseconds=0x1) [0048.699] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.699] Sleep (dwMilliseconds=0x1) [0048.711] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.711] Sleep (dwMilliseconds=0x1) [0048.727] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.727] Sleep (dwMilliseconds=0x1) [0048.742] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.742] Sleep (dwMilliseconds=0x1) [0048.758] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.758] Sleep (dwMilliseconds=0x1) [0048.774] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.774] Sleep (dwMilliseconds=0x1) [0048.789] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.789] Sleep (dwMilliseconds=0x1) [0048.805] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.805] Sleep (dwMilliseconds=0x1) [0048.820] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.820] Sleep (dwMilliseconds=0x1) [0048.837] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.837] Sleep (dwMilliseconds=0x1) [0048.852] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.852] Sleep (dwMilliseconds=0x1) [0048.867] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.867] Sleep (dwMilliseconds=0x1) [0048.883] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.883] Sleep (dwMilliseconds=0x1) [0048.898] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.898] Sleep (dwMilliseconds=0x1) [0048.915] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.915] Sleep (dwMilliseconds=0x1) [0048.930] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.930] Sleep (dwMilliseconds=0x1) [0048.945] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.945] Sleep (dwMilliseconds=0x1) [0048.961] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.961] Sleep (dwMilliseconds=0x1) [0048.976] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.976] Sleep (dwMilliseconds=0x1) [0048.992] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0048.992] Sleep (dwMilliseconds=0x1) [0049.008] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.008] Sleep (dwMilliseconds=0x1) [0049.023] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.023] Sleep (dwMilliseconds=0x1) [0049.039] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.039] Sleep (dwMilliseconds=0x1) [0049.054] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.054] Sleep (dwMilliseconds=0x1) [0049.070] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.070] Sleep (dwMilliseconds=0x1) [0049.086] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.086] Sleep (dwMilliseconds=0x1) [0049.101] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.101] Sleep (dwMilliseconds=0x1) [0049.117] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.117] Sleep (dwMilliseconds=0x1) [0049.132] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.132] Sleep (dwMilliseconds=0x1) [0049.148] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.148] Sleep (dwMilliseconds=0x1) [0049.164] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.164] Sleep (dwMilliseconds=0x1) [0049.179] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.179] Sleep (dwMilliseconds=0x1) [0049.195] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.195] Sleep (dwMilliseconds=0x1) [0049.210] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.210] Sleep (dwMilliseconds=0x1) [0049.227] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.227] Sleep (dwMilliseconds=0x1) [0049.242] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.242] Sleep (dwMilliseconds=0x1) [0049.257] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.257] Sleep (dwMilliseconds=0x1) [0049.273] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.273] Sleep (dwMilliseconds=0x1) [0049.288] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.288] Sleep (dwMilliseconds=0x1) [0049.304] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.304] Sleep (dwMilliseconds=0x1) [0049.320] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.320] Sleep (dwMilliseconds=0x1) [0049.335] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.335] Sleep (dwMilliseconds=0x1) [0049.351] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.351] Sleep (dwMilliseconds=0x1) [0049.367] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.367] Sleep (dwMilliseconds=0x1) [0049.382] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.382] Sleep (dwMilliseconds=0x1) [0049.398] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.398] Sleep (dwMilliseconds=0x1) [0049.413] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.413] Sleep (dwMilliseconds=0x1) [0049.429] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.429] Sleep (dwMilliseconds=0x1) [0049.444] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.444] Sleep (dwMilliseconds=0x1) [0049.460] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.460] Sleep (dwMilliseconds=0x1) [0049.476] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.476] Sleep (dwMilliseconds=0x1) [0049.491] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.491] Sleep (dwMilliseconds=0x1) [0049.507] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.507] Sleep (dwMilliseconds=0x1) [0049.522] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.522] Sleep (dwMilliseconds=0x1) [0049.538] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.538] Sleep (dwMilliseconds=0x1) [0049.557] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.557] Sleep (dwMilliseconds=0x1) [0049.569] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.569] Sleep (dwMilliseconds=0x1) [0049.585] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.585] Sleep (dwMilliseconds=0x1) [0049.600] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.600] Sleep (dwMilliseconds=0x1) [0049.621] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.621] Sleep (dwMilliseconds=0x1) [0049.632] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.632] Sleep (dwMilliseconds=0x1) [0049.647] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.647] Sleep (dwMilliseconds=0x1) [0049.663] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.663] Sleep (dwMilliseconds=0x1) [0049.678] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.678] Sleep (dwMilliseconds=0x1) [0049.694] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.694] Sleep (dwMilliseconds=0x1) [0049.709] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.710] Sleep (dwMilliseconds=0x1) [0049.725] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.725] Sleep (dwMilliseconds=0x1) [0049.741] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.741] Sleep (dwMilliseconds=0x1) [0049.757] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.757] Sleep (dwMilliseconds=0x1) [0049.772] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.772] Sleep (dwMilliseconds=0x1) [0049.788] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.788] Sleep (dwMilliseconds=0x1) [0049.803] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.803] Sleep (dwMilliseconds=0x1) [0049.819] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.819] Sleep (dwMilliseconds=0x1) [0049.834] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.834] Sleep (dwMilliseconds=0x1) [0049.850] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.850] Sleep (dwMilliseconds=0x1) [0049.866] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.866] Sleep (dwMilliseconds=0x1) [0049.881] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.881] Sleep (dwMilliseconds=0x1) [0049.897] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.897] Sleep (dwMilliseconds=0x1) [0049.913] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.913] Sleep (dwMilliseconds=0x1) [0049.928] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.928] Sleep (dwMilliseconds=0x1) [0049.948] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.948] Sleep (dwMilliseconds=0x1) [0049.959] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.959] Sleep (dwMilliseconds=0x1) [0049.975] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.975] Sleep (dwMilliseconds=0x1) [0049.990] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0049.990] Sleep (dwMilliseconds=0x1) [0050.006] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.006] Sleep (dwMilliseconds=0x1) [0050.021] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.021] Sleep (dwMilliseconds=0x1) [0050.039] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.039] Sleep (dwMilliseconds=0x1) [0050.053] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.053] Sleep (dwMilliseconds=0x1) [0050.076] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.076] Sleep (dwMilliseconds=0x1) [0050.084] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.084] Sleep (dwMilliseconds=0x1) [0050.100] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.100] Sleep (dwMilliseconds=0x1) [0050.116] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.116] Sleep (dwMilliseconds=0x1) [0050.133] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.133] Sleep (dwMilliseconds=0x1) [0050.146] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.146] Sleep (dwMilliseconds=0x1) [0050.162] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.162] Sleep (dwMilliseconds=0x1) [0050.178] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.178] Sleep (dwMilliseconds=0x1) [0050.193] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.193] Sleep (dwMilliseconds=0x1) [0050.209] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.209] Sleep (dwMilliseconds=0x1) [0050.224] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.224] Sleep (dwMilliseconds=0x1) [0050.240] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.240] Sleep (dwMilliseconds=0x1) [0050.256] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.256] Sleep (dwMilliseconds=0x1) [0050.271] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.271] Sleep (dwMilliseconds=0x1) [0050.287] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.287] Sleep (dwMilliseconds=0x1) [0050.302] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.302] Sleep (dwMilliseconds=0x1) [0050.318] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.318] Sleep (dwMilliseconds=0x1) [0050.335] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.335] Sleep (dwMilliseconds=0x1) [0050.349] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.349] Sleep (dwMilliseconds=0x1) [0050.365] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.365] Sleep (dwMilliseconds=0x1) [0050.380] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.380] Sleep (dwMilliseconds=0x1) [0050.396] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.396] Sleep (dwMilliseconds=0x1) [0050.412] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.412] Sleep (dwMilliseconds=0x1) [0050.427] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.427] Sleep (dwMilliseconds=0x1) [0050.443] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.443] Sleep (dwMilliseconds=0x1) [0050.458] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=431, y=118)) returned 1 [0050.458] Sleep (dwMilliseconds=0x1) [0050.474] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1040, y=843)) returned 1 [0050.474] SetErrorMode (uMode=0x8001) returned 0x0 [0050.474] LoadLibraryA (lpLibFileName="advapi32") returned 0x76760000 [0050.474] SetErrorMode (uMode=0x0) returned 0x8001 [0050.474] GetProcAddress (hModule=0x76760000, lpProcName="RegOpenKeyExA") returned 0x76774907 [0050.474] SetErrorMode (uMode=0x8001) returned 0x0 [0050.475] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0050.475] SetErrorMode (uMode=0x0) returned 0x8001 [0050.475] GetProcAddress (hModule=0x765b0000, lpProcName="CloseHandle") returned 0x765c1410 [0050.475] SetErrorMode (uMode=0x8001) returned 0x0 [0050.475] LoadLibraryA (lpLibFileName="shell32") returned 0x75790000 [0051.480] SetErrorMode (uMode=0x0) returned 0x8001 [0051.480] GetProcAddress (hModule=0x75790000, lpProcName="ShellExecuteW") returned 0x757a3c71 [0051.480] SetErrorMode (uMode=0x8001) returned 0x0 [0051.480] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.480] SetErrorMode (uMode=0x0) returned 0x8001 [0051.480] GetProcAddress (hModule=0x765b0000, lpProcName="WriteFile") returned 0x765c1282 [0051.480] SetErrorMode (uMode=0x8001) returned 0x0 [0051.480] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.480] SetErrorMode (uMode=0x0) returned 0x8001 [0051.481] GetProcAddress (hModule=0x765b0000, lpProcName="CreateFileW") returned 0x765c3f5c [0051.481] SetErrorMode (uMode=0x8001) returned 0x0 [0051.481] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.481] SetErrorMode (uMode=0x0) returned 0x8001 [0051.481] GetProcAddress (hModule=0x765b0000, lpProcName="TerminateProcess") returned 0x765dd802 [0051.481] SetErrorMode (uMode=0x8001) returned 0x0 [0051.481] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.481] SetErrorMode (uMode=0x0) returned 0x8001 [0051.481] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualProtectEx") returned 0x766445bf [0051.481] SetErrorMode (uMode=0x8001) returned 0x0 [0051.481] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.481] SetErrorMode (uMode=0x0) returned 0x8001 [0051.481] GetProcAddress (hModule=0x765b0000, lpProcName="CreateProcessW") returned 0x765c103d [0051.481] SetErrorMode (uMode=0x8001) returned 0x0 [0051.481] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.481] SetErrorMode (uMode=0x0) returned 0x8001 [0051.482] GetProcAddress (hModule=0x765b0000, lpProcName="GetTempPathW") returned 0x765dd4dc [0051.482] SetErrorMode (uMode=0x8001) returned 0x0 [0051.482] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.482] SetErrorMode (uMode=0x0) returned 0x8001 [0051.482] GetProcAddress (hModule=0x765b0000, lpProcName="GetLongPathNameW") returned 0x765ca315 [0051.482] SetErrorMode (uMode=0x8001) returned 0x0 [0051.482] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.482] SetErrorMode (uMode=0x0) returned 0x8001 [0051.482] GetProcAddress (hModule=0x765b0000, lpProcName="GetFileSize") returned 0x765c196e [0051.482] SetErrorMode (uMode=0x8001) returned 0x0 [0051.482] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.482] SetErrorMode (uMode=0x0) returned 0x8001 [0051.482] GetProcAddress (hModule=0x765b0000, lpProcName="ReadFile") returned 0x765c3ed3 [0051.482] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x1ea, flAllocationType=0x3000, flProtect=0x4) returned 0x3b0000 [0051.488] SetErrorMode (uMode=0x8001) returned 0x0 [0051.488] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.488] SetErrorMode (uMode=0x0) returned 0x8001 [0051.488] GetProcAddress (hModule=0x765b0000, lpProcName="GetCommandLineW") returned 0x765c5223 [0051.488] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" " [0051.488] CreateProcessW (in: lpApplicationName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", lpCommandLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x34c0048*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x34c008c | out: lpCommandLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" ", lpProcessInformation=0x34c008c*(hProcess=0x148, hThread=0x144, dwProcessId=0xa24, dwThreadId=0xa28)) returned 1 [0051.491] SetErrorMode (uMode=0x8001) returned 0x0 [0051.491] LoadLibraryA (lpLibFileName="ntdll") returned 0x77560000 [0051.491] SetErrorMode (uMode=0x0) returned 0x8001 [0051.491] GetProcAddress (hModule=0x77560000, lpProcName="NtAllocateVirtualMemory") returned 0x7757fab0 [0051.491] SetErrorMode (uMode=0x8001) returned 0x0 [0051.491] LoadLibraryA (lpLibFileName="ntdll") returned 0x77560000 [0051.491] SetErrorMode (uMode=0x0) returned 0x8001 [0051.491] GetProcAddress (hModule=0x77560000, lpProcName="NtWriteVirtualMemory") returned 0x7757fe04 [0051.491] SetErrorMode (uMode=0x8001) returned 0x0 [0051.491] LoadLibraryA (lpLibFileName="ntdll") returned 0x77560000 [0051.491] SetErrorMode (uMode=0x0) returned 0x8001 [0051.492] GetProcAddress (hModule=0x77560000, lpProcName="NtTerminateThread") returned 0x77580074 [0051.492] SetErrorMode (uMode=0x8001) returned 0x0 [0051.492] LoadLibraryA (lpLibFileName="ntdll") returned 0x77560000 [0051.492] SetErrorMode (uMode=0x0) returned 0x8001 [0051.492] GetProcAddress (hModule=0x77560000, lpProcName="NtOpenEvent") returned 0x7757fe98 [0051.492] SetErrorMode (uMode=0x8001) returned 0x0 [0051.492] LoadLibraryA (lpLibFileName="ntdll") returned 0x77560000 [0051.492] SetErrorMode (uMode=0x0) returned 0x8001 [0051.492] GetProcAddress (hModule=0x77560000, lpProcName="NtUnmapViewOfSection") returned 0x7757fc70 [0051.492] NtUnmapViewOfSection (ProcessHandle=0x148, BaseAddress=0x400000) returned 0x0 [0051.499] NtAllocateVirtualMemory (in: ProcessHandle=0x148, BaseAddress=0x34c0004*=0x400000, ZeroBits=0x0, RegionSize=0x34c6118*=0x24000, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x34c0004*=0x400000, RegionSize=0x34c6118*=0x24000) returned 0x0 [0051.511] NtWriteVirtualMemory (in: ProcessHandle=0x148, BaseAddress=0x400000, Buffer=0x34c6000*, NumberOfBytesToWrite=0x200, NumberOfBytesWritten=0x0 | out: Buffer=0x34c6000*, NumberOfBytesWritten=0x0) returned 0x0 [0051.512] NtWriteVirtualMemory (in: ProcessHandle=0x148, BaseAddress=0x400000, Buffer=0x34c6000*, NumberOfBytesToWrite=0x1, NumberOfBytesWritten=0x0 | out: Buffer=0x34c6000*, NumberOfBytesWritten=0x0) returned 0x0 [0051.512] NtWriteVirtualMemory (in: ProcessHandle=0x148, BaseAddress=0x401000, Buffer=0x34c7000*, NumberOfBytesToWrite=0x22a00, NumberOfBytesWritten=0x0 | out: Buffer=0x34c7000*, NumberOfBytesWritten=0x0) returned 0x0 [0051.513] SetErrorMode (uMode=0x8001) returned 0x0 [0051.513] LoadLibraryA (lpLibFileName="ntdll") returned 0x77560000 [0051.513] SetErrorMode (uMode=0x0) returned 0x8001 [0051.514] GetProcAddress (hModule=0x77560000, lpProcName="NtGetContextThread") returned 0x77580c20 [0051.514] NtGetContextThread (in: ThreadHandle=0x144, Context=0x34c009c | out: Context=0x34c009c*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x4012a4, Ebp=0x0, Eip=0x775701c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x40, [6]=0x2, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0051.514] NtWriteVirtualMemory (in: ProcessHandle=0x148, BaseAddress=0x7efde008, Buffer=0x34c0004*, NumberOfBytesToWrite=0x4, NumberOfBytesWritten=0x0 | out: Buffer=0x34c0004*, NumberOfBytesWritten=0x0) returned 0x0 [0051.514] SetErrorMode (uMode=0x8001) returned 0x0 [0051.514] LoadLibraryA (lpLibFileName="ntdll") returned 0x77560000 [0051.514] SetErrorMode (uMode=0x0) returned 0x8001 [0051.514] GetProcAddress (hModule=0x77560000, lpProcName="NtSetContextThread") returned 0x77581910 [0051.514] NtSetContextThread (ThreadHandle=0x144, Context=0x34c009c*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x418c20, Ebp=0x0, Eip=0x775701c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x40, [6]=0x2, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0051.515] SetErrorMode (uMode=0x8001) returned 0x0 [0051.515] LoadLibraryA (lpLibFileName="ntdll") returned 0x77560000 [0051.515] SetErrorMode (uMode=0x0) returned 0x8001 [0051.515] GetProcAddress (hModule=0x77560000, lpProcName="NtResumeThread") returned 0x77580058 [0051.515] NtResumeThread (in: ThreadHandle=0x144, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0051.515] SetErrorMode (uMode=0x8001) returned 0x0 [0051.515] LoadLibraryA (lpLibFileName="kernel32") returned 0x765b0000 [0051.515] SetErrorMode (uMode=0x0) returned 0x8001 [0051.515] GetProcAddress (hModule=0x765b0000, lpProcName="GetExitCodeProcess") returned 0x765d174d [0051.515] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x34c07fc | out: lpExitCode=0x34c07fc*=0x103) returned 1 [0051.515] TerminateProcess (hProcess=0xffffffff, uExitCode=0x0) Thread: id = 2 os_tid = 0xa08 Process: id = "2" image_name = "lxqfwvdqlkd.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe" page_root = "0x64d7d000" os_pid = "0xa24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9f4" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 215 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 216 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 217 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 218 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 219 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 220 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 221 start_va = 0x400000 end_va = 0x423fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 222 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 223 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 224 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 225 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 226 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 227 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 228 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 229 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 230 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 231 start_va = 0x300000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 232 start_va = 0x73a70000 end_va = 0x73acbfff entry_point = 0x73aaf798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 233 start_va = 0x73ad0000 end_va = 0x73b0efff entry_point = 0x73afde78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 234 start_va = 0x73b40000 end_va = 0x73b47fff entry_point = 0x73b420f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 235 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 236 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 237 start_va = 0x590000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 238 start_va = 0x75320000 end_va = 0x75365fff entry_point = 0x75327478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 239 start_va = 0x765b0000 end_va = 0x766bffff entry_point = 0x765c32d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 240 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x0 region_type = private name = "private_0x0000000077160000" filename = "" Region: id = 241 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x0 region_type = private name = "private_0x0000000077260000" filename = "" Region: id = 242 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 243 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 244 start_va = 0x690000 end_va = 0x810fff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 245 start_va = 0x820000 end_va = 0xb22fff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 246 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 247 start_va = 0x76760000 end_va = 0x767fffff entry_point = 0x767749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 248 start_va = 0x75260000 end_va = 0x7530bfff entry_point = 0x7526a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 249 start_va = 0x75240000 end_va = 0x75258fff entry_point = 0x75244975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 250 start_va = 0x753c0000 end_va = 0x754affff entry_point = 0x753d0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 251 start_va = 0x750c0000 end_va = 0x7511ffff entry_point = 0x750da3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 252 start_va = 0x750b0000 end_va = 0x750bbfff entry_point = 0x750b10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 253 start_va = 0xb30000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 254 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 255 start_va = 0x250000 end_va = 0x273fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 256 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 257 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 258 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 259 start_va = 0x690000 end_va = 0x71afff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 669 start_va = 0x30000 end_va = 0x3dfff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 670 start_va = 0x280000 end_va = 0x28dfff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 671 start_va = 0x75120000 end_va = 0x7521ffff entry_point = 0x7513b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 672 start_va = 0x754e0000 end_va = 0x7556ffff entry_point = 0x754f6343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 673 start_va = 0x76750000 end_va = 0x76759fff entry_point = 0x767536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 674 start_va = 0x76b30000 end_va = 0x76bccfff entry_point = 0x76b63fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 675 start_va = 0x290000 end_va = 0x2adfff entry_point = 0x2a158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 676 start_va = 0xb30000 end_va = 0xcb7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 677 start_va = 0xcd0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 678 start_va = 0x290000 end_va = 0x2adfff entry_point = 0x2a158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 679 start_va = 0x76ad0000 end_va = 0x76b2ffff entry_point = 0x76ae158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 680 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a0168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 681 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 682 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 683 start_va = 0xce0000 end_va = 0xe60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 684 start_va = 0xe70000 end_va = 0x226ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 717 start_va = 0x2b0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 719 start_va = 0x2e0000 end_va = 0x2f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Thread: id = 3 os_tid = 0xa28 [0051.570] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x18f36c | out: HeapArray=0x18f36c*=0x590000) returned 0x1 [0051.576] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x18f320, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0051.577] NtCreateFile (in: FileHandle=0x18f34c, DesiredAccess=0x120089, ObjectAttributes=0x18f308*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f328, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f34c*=0x20, IoStatusBlock=0x18f328*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0051.587] NtQueryInformationFile (in: FileHandle=0x20, IoStatusBlock=0x18f328, FileInformation=0x18f280, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x18f328, FileInformation=0x18f280) returned 0x0 [0051.604] NtReadFile (in: FileHandle=0x20, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x18f328, Buffer=0x430020, BufferLength=0x13b740, ByteOffset=0x18f298*=0, Key=0x0 | out: IoStatusBlock=0x18f328, Buffer=0x430020*) returned 0x0 [0051.654] NtClose (Handle=0x20) returned 0x0 [0051.690] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x18f2c0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0051.690] NtCreateFile (in: FileHandle=0x18f2ec, DesiredAccess=0x120089, ObjectAttributes=0x18f2a8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f2c8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f2ec*=0x20, IoStatusBlock=0x18f2c8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0051.690] NtQueryInformationFile (in: FileHandle=0x20, IoStatusBlock=0x18f2c8, FileInformation=0x18f03c, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x18f2c8, FileInformation=0x18f03c) returned 0x0 [0051.690] NtClose (Handle=0x20) returned 0x0 [0051.694] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x73b41320, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x18f2f8, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x18f2f8*(BaseAddress=0x73b41000, AllocationBase=0x73b40000, AllocationProtect=0x80, RegionSize=0x3000, State=0x1000, Protect=0x20, Type=0x1000000), ResultLength=0x0) returned 0x0 [0051.913] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x18f350, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x18f350, ResultLength=0x0) returned 0x0 [0051.915] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x18f374, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x18f374, ReturnLength=0x0) returned 0x0 [0051.927] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18f004*=0x0, ZeroBits=0x0, RegionSize=0x18f008*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x18f004*=0x20000, RegionSize=0x18f008*=0x10000) returned 0x0 [0051.933] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0x0 [0051.951] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x18f364*=0x20000, RegionSize=0x18f368, FreeType=0x8000) returned 0x0 [0051.963] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x18f120 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0051.963] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="advapi32.dll", BaseAddress=0x18f190 | out: BaseAddress=0x18f190*=0x76760000) returned 0x0 [0051.981] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x18f37c | out: TokenHandle=0x18f37c*=0x3c) returned 0x0 [0051.984] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x18f370 | out: lpLuid=0x18f370*(LowPart=0x14, HighPart=0)) returned 1 [0051.988] NtAdjustPrivilegesToken (in: TokenHandle=0x3c, DisableAllPrivileges=0, NewState=0x18f36c, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x0 [0051.990] NtClose (Handle=0x3c) returned 0x0 [0051.990] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x18e948 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0051.999] RtlSetEnvironmentVariable (in: Environment=0x0, Name="L53886-W", Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" | out: Environment=0x0) returned 0x0 [0052.000] NtCreateSection (in: SectionHandle=0x18ee48, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x18ebe8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18ee48*=0x3c) returned 0x0 [0052.003] NtMapViewOfSection (in: SectionHandle=0x3c, ProcessHandle=0xffffffff, BaseAddress=0x18ee4c*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18ebe8*=0x23a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18ee4c*=0x250000, SectionOffset=0x0, ViewSize=0x18ebe8*=0x24000) returned 0x0 [0052.005] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18e550*=0x0, ZeroBits=0x0, RegionSize=0x18e554*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x18e550*=0x20000, RegionSize=0x18e554*=0x10000) returned 0x0 [0052.006] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0x0 [0052.009] NtOpenProcess (in: ProcessHandle=0x18eba4, DesiredAccess=0x438, ObjectAttributes=0x18ebc4*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x18eb98*(UniqueProcess=0x564, UniqueThread=0x0) | out: ProcessHandle=0x18eba4*=0x84) returned 0x0 [0052.009] NtQueryInformationProcess (in: ProcessHandle=0x84, ProcessInformationClass=0x1a, ProcessInformation=0x18e8b0, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x18e8b0, ReturnLength=0x0) returned 0x0 [0052.009] NtCreateSection (in: SectionHandle=0x18e54c, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x18e50c, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18e54c*=0x88) returned 0x0 [0052.009] NtMapViewOfSection (in: SectionHandle=0x88, ProcessHandle=0xffffffff, BaseAddress=0x18e554*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18e50c*=0x8a840, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18e554*=0x690000, SectionOffset=0x0, ViewSize=0x18e50c*=0x8b000) returned 0x0 [0052.009] NtMapViewOfSection (in: SectionHandle=0x88, ProcessHandle=0x84, BaseAddress=0x18e550*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18e548*=0x8a840, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18e550*=0x2dc0000, SectionOffset=0x0, ViewSize=0x18e548*=0x8b000) returned 0x0 [0056.604] NtClose (Handle=0x88) returned 0x0 [0056.605] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18d718 | out: TokenHandle=0x18d718*=0x88) returned 0x0 [0056.608] NtQueryInformationToken (in: TokenHandle=0x88, TokenInformationClass=0x1, TokenInformation=0x18cf10, TokenInformationLength=0x400, ReturnLength=0x18d710 | out: TokenInformation=0x18cf10, ReturnLength=0x18d710) returned 0x0 [0056.609] ConvertSidToStringSidW () returned 0x1 [0056.609] NtClose (Handle=0x88) returned 0x0 [0056.609] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18d988*=0x0, ZeroBits=0x0, RegionSize=0x18d98c*=0xdcba, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x18d988*=0x30000, RegionSize=0x18d98c*=0xe000) returned 0x0 [0056.610] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18d974*=0x0, ZeroBits=0x0, RegionSize=0x18d978*=0xdcba, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x18d974*=0x280000, RegionSize=0x18d978*=0xe000) returned 0x0 [0056.616] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18d98c*=0x418d32, NumberOfBytesToProtect=0x18d990, NewAccessProtection=0x40, OldAccessProtection=0x18e4dc | out: BaseAddress=0x18d98c*=0x418000, NumberOfBytesToProtect=0x18d990, OldAccessProtection=0x18e4dc*=0x40) returned 0x0 [0056.622] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x18e28c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0056.624] NtCreateFile (in: FileHandle=0x18e2b8, DesiredAccess=0x120089, ObjectAttributes=0x18e274*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18e294, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18e2b8*=0x88, IoStatusBlock=0x18e294*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0056.627] NtQueryInformationFile (in: FileHandle=0x88, IoStatusBlock=0x18e294, FileInformation=0x18e008, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x18e294, FileInformation=0x18e008) returned 0x0 [0056.627] NtClose (Handle=0x88) returned 0x0 [0056.636] NtOpenProcess (in: ProcessHandle=0x18e4a8, DesiredAccess=0x438, ObjectAttributes=0x18da68*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x18daa8*(UniqueProcess=0x564, UniqueThread=0x0) | out: ProcessHandle=0x18e4a8*=0x88) returned 0x0 [0056.639] NtQueryInformationProcess (in: ProcessHandle=0x88, ProcessInformationClass=0x0, ProcessInformation=0x18dab8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x18dab8, ReturnLength=0x0) returned 0x0 [0056.642] NtReadVirtualMemory (in: ProcessHandle=0x88, BaseAddress=0x7fffffdf000, Buffer=0x18df20, NumberOfBytesToRead=0x40, NumberOfBytesRead=0x0 | out: Buffer=0x18df20*, NumberOfBytesRead=0x0) returned 0x0 [0056.645] NtOpenThread (in: ThreadHandle=0x18da60, DesiredAccess=0x1a, ObjectAttributes=0x18da68, ClientId=0x18da98*(UniqueProcess=0x0, UniqueThread=0x568) | out: ThreadHandle=0x18da60*=0x8c) returned 0x0 [0056.648] NtSuspendThread (in: ThreadHandle=0x8c, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0056.653] NtGetContextThread (in: ThreadHandle=0x8c, Context=0x18dfa0 | out: Context=0x18dfa0*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0xc0, [65]=0x6, [66]=0x2, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0xf2, [73]=0x6, [74]=0x1, [75]=0x8, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x3b, SegGs=0x0, SegFs=0x2bf0df0, SegEs=0x0, SegDs=0x18f168, Edi=0x0, Esi=0x100ec, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x7, SegCs=0x0, EFlags=0x1, Esp=0x0, SegSs=0x15, ExtendedRegisters=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xe8, [5]=0xd9, [6]=0xaa, [7]=0x4, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x4, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x3a, [45]=0x93, [46]=0x17, [47]=0x77, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x98, [213]=0x78, [214]=0x80, [215]=0x57, [216]=0x4f, [217]=0x8c, [218]=0x62, [219]=0x44, [220]=0xbb, [221]=0x63, [222]=0x71, [223]=0x4, [224]=0x23, [225]=0x80, [226]=0xb1, [227]=0x9, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0056.657] NtSetContextThread (ThreadHandle=0x8c, Context=0x18dfa0*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0xc0, [65]=0x6, [66]=0x2, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0xf2, [73]=0x6, [74]=0x1, [75]=0x8, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x3b, SegGs=0x0, SegFs=0x2bf0df0, SegEs=0x0, SegDs=0x18f168, Edi=0x0, Esi=0x100ec, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x7, SegCs=0x0, EFlags=0x1, Esp=0x0, SegSs=0x15, ExtendedRegisters=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xe8, [5]=0xd9, [6]=0xaa, [7]=0x4, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x4, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x89, [45]=0x8e, [46]=0xdd, [47]=0x2, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x98, [213]=0x78, [214]=0x80, [215]=0x57, [216]=0x4f, [217]=0x8c, [218]=0x62, [219]=0x44, [220]=0xbb, [221]=0x63, [222]=0x71, [223]=0x4, [224]=0x23, [225]=0x80, [226]=0xb1, [227]=0x9, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0056.657] NtQueueApcThread (ThreadHandle=0x8c, ApcRoutine=0x2dd8ead, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0056.660] NtResumeThread (in: ThreadHandle=0x8c, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0056.660] NtClose (Handle=0x88) returned 0x0 [0056.660] NtClose (Handle=0x8c) returned 0x0 [0056.660] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="user32.dll", BaseAddress=0x18e194 | out: BaseAddress=0x18e194*=0x75120000) returned 0x0 [0056.678] PostThreadMessageW (idThread=0x568, Msg=0x111, wParam=0x0, lParam=0x0) returned 1 [0056.705] NtDelayExecution (Alertable=0, Interval=0x18e20c*=-30000000) returned 0x0 [0059.721] NtReadVirtualMemory (in: ProcessHandle=0x84, BaseAddress=0x2e0b000, Buffer=0x18e230, NumberOfBytesToRead=0x2a8, NumberOfBytesRead=0x0 | out: Buffer=0x18e230*, NumberOfBytesRead=0x0) returned 0x0 [0059.721] NtClose (Handle=0x84) returned 0x0 [0059.721] NtOpenProcess (in: ProcessHandle=0x18f304, DesiredAccess=0x438, ObjectAttributes=0x18ebc4*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x18eb98*(UniqueProcess=0xa38, UniqueThread=0x0) | out: ProcessHandle=0x18f304*=0x84) returned 0x0 [0059.730] NtOpenThread (in: ThreadHandle=0x18f308, DesiredAccess=0x1a, ObjectAttributes=0x18ebc4, ClientId=0x18eb90*(UniqueProcess=0x0, UniqueThread=0xa3c) | out: ThreadHandle=0x18f308*=0x9c) returned 0x0 [0059.730] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\msiexec.exe", NtPathName=0x18e1d4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\msiexec.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0059.730] NtCreateFile (in: FileHandle=0x18e200, DesiredAccess=0x120089, ObjectAttributes=0x18e1bc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\msiexec.exe" (normalized: "c:\\windows\\syswow64\\msiexec.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18e1dc, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18e200*=0xa0, IoStatusBlock=0x18e1dc*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0059.730] NtQueryInformationFile (in: FileHandle=0xa0, IoStatusBlock=0x18e1dc, FileInformation=0x18e134, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x18e1dc, FileInformation=0x18e134) returned 0x0 [0059.742] NtReadFile (in: FileHandle=0xa0, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x18e1dc, Buffer=0x5a4d70, BufferLength=0x11e00, ByteOffset=0x18e14c*=0, Key=0x0 | out: IoStatusBlock=0x18e1dc, Buffer=0x5a4d70*) returned 0x0 [0059.784] NtClose (Handle=0xa0) returned 0x0 [0059.785] NtQueryInformationProcess (in: ProcessHandle=0x84, ProcessInformationClass=0x0, ProcessInformation=0x18e534, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x18e534, ReturnLength=0x0) returned 0x0 [0059.785] NtReadVirtualMemory (in: ProcessHandle=0x84, BaseAddress=0x7efde008, Buffer=0x18f0f8, NumberOfBytesToRead=0x4, NumberOfBytesRead=0x0 | out: Buffer=0x18f0f8*, NumberOfBytesRead=0x0) returned 0x0 [0059.785] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x18ebdc*=0x20000, RegionSize=0x18ebe0, FreeType=0x8000) returned 0x0 [0059.786] NtReadVirtualMemory (in: ProcessHandle=0x84, BaseAddress=0x9e0000, Buffer=0x5b6f78, NumberOfBytesToRead=0x14000, NumberOfBytesRead=0x0 | out: Buffer=0x5b6f78*, NumberOfBytesRead=0x0) returned 0x0 [0059.792] NtCreateSection (in: SectionHandle=0x18f394, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x18ebe8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18f394*=0xa0) returned 0x0 [0059.792] NtMapViewOfSection (in: SectionHandle=0xa0, ProcessHandle=0xffffffff, BaseAddress=0x18f390*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18ebe8*=0x23a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18f390*=0x2b0000, SectionOffset=0x0, ViewSize=0x18ebe8*=0x24000) returned 0x0 [0059.792] NtMapViewOfSection (in: SectionHandle=0xa0, ProcessHandle=0x84, BaseAddress=0x18ee50*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18f07c*=0x23a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18ee50*=0xd0000, SectionOffset=0x0, ViewSize=0x18f07c*=0x24000) returned 0x0 [0059.793] NtCreateSection (in: SectionHandle=0x18f0f0, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x18ebf8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18f0f0*=0xa4) returned 0x0 [0059.793] NtMapViewOfSection (in: SectionHandle=0xa4, ProcessHandle=0xffffffff, BaseAddress=0x18f0f4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18ebf8*=0x14000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18f0f4*=0x2e0000, SectionOffset=0x0, ViewSize=0x18ebf8*=0x14000) returned 0x0 [0059.798] NtUnmapViewOfSection (ProcessHandle=0x84, BaseAddress=0x9e0000) returned 0x0 [0059.799] NtMapViewOfSection (in: SectionHandle=0xa4, ProcessHandle=0x84, BaseAddress=0x18f0f8*=0x9e0000, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18f324*=0x14000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18f0f8*=0x9e0000, SectionOffset=0x0, ViewSize=0x18f324*=0x14000) returned 0x0 [0059.804] NtResumeThread (in: ThreadHandle=0x9c, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0059.806] ExitProcess (uExitCode=0x0) Thread: id = 4 os_tid = 0xa2c Process: id = "3" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x9e01000" os_pid = "0x564" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "injection" parent_id = "2" os_parent_pid = "0xa24" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 260 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 261 start_va = 0x20000 end_va = 0x21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 262 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 263 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 264 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 265 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 266 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 267 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 268 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 269 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 270 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 271 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 272 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 273 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 274 start_va = 0x1f0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 275 start_va = 0x200000 end_va = 0x217fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 276 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 277 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 278 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 279 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 280 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 281 start_va = 0x450000 end_va = 0x5d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 282 start_va = 0x5e0000 end_va = 0x760fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 283 start_va = 0x770000 end_va = 0x1b6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 284 start_va = 0x1b70000 end_va = 0x1f62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b70000" filename = "" Region: id = 285 start_va = 0x1f70000 end_va = 0x1f8bfff entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 286 start_va = 0x1f90000 end_va = 0x1f92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f90000" filename = "" Region: id = 287 start_va = 0x1fa0000 end_va = 0x1fa4fff entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 288 start_va = 0x1fb0000 end_va = 0x1fbffff entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 289 start_va = 0x1fc0000 end_va = 0x1fc0fff entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 290 start_va = 0x1fd0000 end_va = 0x204ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 291 start_va = 0x2050000 end_va = 0x20cffff entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 292 start_va = 0x20d0000 end_va = 0x21aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020d0000" filename = "" Region: id = 293 start_va = 0x21b0000 end_va = 0x247efff entry_point = 0x21b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 294 start_va = 0x2480000 end_va = 0x2481fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002480000" filename = "" Region: id = 295 start_va = 0x2490000 end_va = 0x2491fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002490000" filename = "" Region: id = 296 start_va = 0x24a0000 end_va = 0x24a2fff entry_point = 0x24a0000 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui") Region: id = 297 start_va = 0x24b0000 end_va = 0x24b0fff entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 298 start_va = 0x24c0000 end_va = 0x24dbfff entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 299 start_va = 0x24e0000 end_va = 0x24e0fff entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 300 start_va = 0x24f0000 end_va = 0x256ffff entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 301 start_va = 0x2570000 end_va = 0x2578fff entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 302 start_va = 0x2580000 end_va = 0x25dffff entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 303 start_va = 0x25e0000 end_va = 0x264bfff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 304 start_va = 0x2650000 end_va = 0x274ffff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 305 start_va = 0x2750000 end_va = 0x277ffff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 306 start_va = 0x2780000 end_va = 0x278ffff entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 307 start_va = 0x2790000 end_va = 0x279ffff entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 308 start_va = 0x27a0000 end_va = 0x27affff entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 309 start_va = 0x27b0000 end_va = 0x27bffff entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 310 start_va = 0x27c0000 end_va = 0x27cffff entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 311 start_va = 0x27d0000 end_va = 0x27dffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 312 start_va = 0x27e0000 end_va = 0x27effff entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 313 start_va = 0x27f0000 end_va = 0x27fffff entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 314 start_va = 0x2800000 end_va = 0x280ffff entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 315 start_va = 0x2810000 end_va = 0x281ffff entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 316 start_va = 0x2820000 end_va = 0x282ffff entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 317 start_va = 0x2830000 end_va = 0x292ffff entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 318 start_va = 0x2930000 end_va = 0x2931fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002930000" filename = "" Region: id = 319 start_va = 0x2940000 end_va = 0x2940fff entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 320 start_va = 0x2950000 end_va = 0x2950fff entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 321 start_va = 0x2960000 end_va = 0x2967fff entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 322 start_va = 0x2970000 end_va = 0x299ffff entry_point = 0x2970000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000010.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db") Region: id = 323 start_va = 0x29a0000 end_va = 0x29a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029a0000" filename = "" Region: id = 324 start_va = 0x29b0000 end_va = 0x29b3fff entry_point = 0x29b0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 325 start_va = 0x29c0000 end_va = 0x29c3fff entry_point = 0x29c0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 326 start_va = 0x29d0000 end_va = 0x29d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029d0000" filename = "" Region: id = 327 start_va = 0x29e0000 end_va = 0x29effff entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 328 start_va = 0x29f0000 end_va = 0x29f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029f0000" filename = "" Region: id = 329 start_va = 0x2a00000 end_va = 0x2a47fff entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 330 start_va = 0x2a50000 end_va = 0x2a53fff entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 331 start_va = 0x2a60000 end_va = 0x2a61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a60000" filename = "" Region: id = 332 start_va = 0x2a70000 end_va = 0x2a73fff entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 333 start_va = 0x2a80000 end_va = 0x2b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 334 start_va = 0x2b80000 end_va = 0x2c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 335 start_va = 0x2c90000 end_va = 0x2c90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c90000" filename = "" Region: id = 336 start_va = 0x2ca0000 end_va = 0x2ca1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ca0000" filename = "" Region: id = 337 start_va = 0x2cb0000 end_va = 0x2cbcfff entry_point = 0x2cb0000 region_type = mapped_file name = "wininet.dll.mui" filename = "\\Windows\\System32\\en-US\\wininet.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wininet.dll.mui") Region: id = 338 start_va = 0x2cc0000 end_va = 0x2cc7fff entry_point = 0x2cc0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat") Region: id = 339 start_va = 0x2cd0000 end_va = 0x2cd3fff entry_point = 0x2cd0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\cookies\\index.dat") Region: id = 340 start_va = 0x2ce0000 end_va = 0x2ceffff entry_point = 0x2ce0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\history\\history.ie5\\index.dat") Region: id = 341 start_va = 0x2cf0000 end_va = 0x2cfffff entry_point = 0x2cf0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\History\\History.IE5\\MSHist012017092120170922\\index.dat" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\history\\history.ie5\\mshist012017092120170922\\index.dat") Region: id = 342 start_va = 0x2d00000 end_va = 0x2d00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d00000" filename = "" Region: id = 343 start_va = 0x2d90000 end_va = 0x2d90fff entry_point = 0x2d90000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 344 start_va = 0x2da0000 end_va = 0x2da0fff entry_point = 0x2da0000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 345 start_va = 0x2db0000 end_va = 0x2db0fff entry_point = 0x2db0000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 346 start_va = 0x2dc0000 end_va = 0x2e4afff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002dc0000" filename = "" Region: id = 347 start_va = 0x2e80000 end_va = 0x31c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e80000" filename = "" Region: id = 348 start_va = 0x31d0000 end_va = 0x31fffff entry_point = 0x31d0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db") Region: id = 349 start_va = 0x3200000 end_va = 0x3200fff entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 350 start_va = 0x3210000 end_va = 0x3213fff entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 351 start_va = 0x3220000 end_va = 0x329ffff entry_point = 0x0 region_type = private name = "private_0x0000000003220000" filename = "" Region: id = 352 start_va = 0x32a0000 end_va = 0x331ffff entry_point = 0x0 region_type = private name = "private_0x00000000032a0000" filename = "" Region: id = 353 start_va = 0x3320000 end_va = 0x3320fff entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 354 start_va = 0x3330000 end_va = 0x33affff entry_point = 0x0 region_type = private name = "private_0x0000000003330000" filename = "" Region: id = 355 start_va = 0x33b0000 end_va = 0x3415fff entry_point = 0x33b0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 356 start_va = 0x3420000 end_va = 0x3420fff entry_point = 0x0 region_type = private name = "private_0x0000000003420000" filename = "" Region: id = 357 start_va = 0x3430000 end_va = 0x34affff entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 358 start_va = 0x34b0000 end_va = 0x34b0fff entry_point = 0x0 region_type = private name = "private_0x00000000034b0000" filename = "" Region: id = 359 start_va = 0x34c0000 end_va = 0x34c0fff entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 360 start_va = 0x34d0000 end_va = 0x34d0fff entry_point = 0x34d0000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 361 start_va = 0x34e0000 end_va = 0x34e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034e0000" filename = "" Region: id = 362 start_va = 0x34f0000 end_va = 0x34f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034f0000" filename = "" Region: id = 363 start_va = 0x3500000 end_va = 0x3501fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003500000" filename = "" Region: id = 364 start_va = 0x3510000 end_va = 0x3510fff entry_point = 0x0 region_type = private name = "private_0x0000000003510000" filename = "" Region: id = 365 start_va = 0x3520000 end_va = 0x359ffff entry_point = 0x0 region_type = private name = "private_0x0000000003520000" filename = "" Region: id = 366 start_va = 0x35a0000 end_va = 0x3ecffff entry_point = 0x35a0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 367 start_va = 0x3ed0000 end_va = 0x3ed1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ed0000" filename = "" Region: id = 368 start_va = 0x3ee0000 end_va = 0x3ee3fff entry_point = 0x3ee0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 369 start_va = 0x3ef0000 end_va = 0x3ef0fff entry_point = 0x0 region_type = private name = "private_0x0000000003ef0000" filename = "" Region: id = 370 start_va = 0x3f00000 end_va = 0x3f01fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f00000" filename = "" Region: id = 371 start_va = 0x3f10000 end_va = 0x3f11fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f10000" filename = "" Region: id = 372 start_va = 0x3f20000 end_va = 0x3f21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f20000" filename = "" Region: id = 373 start_va = 0x3f30000 end_va = 0x3f30fff entry_point = 0x0 region_type = private name = "private_0x0000000003f30000" filename = "" Region: id = 374 start_va = 0x3f40000 end_va = 0x3f40fff entry_point = 0x0 region_type = private name = "private_0x0000000003f40000" filename = "" Region: id = 375 start_va = 0x3f50000 end_va = 0x3f50fff entry_point = 0x0 region_type = private name = "private_0x0000000003f50000" filename = "" Region: id = 376 start_va = 0x3f60000 end_va = 0x3fdffff entry_point = 0x0 region_type = private name = "private_0x0000000003f60000" filename = "" Region: id = 377 start_va = 0x3fe0000 end_va = 0x3fe0fff entry_point = 0x0 region_type = private name = "private_0x0000000003fe0000" filename = "" Region: id = 378 start_va = 0x3ff0000 end_va = 0x3ff0fff entry_point = 0x0 region_type = private name = "private_0x0000000003ff0000" filename = "" Region: id = 379 start_va = 0x4000000 end_va = 0x4000fff entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 380 start_va = 0x4010000 end_va = 0x4013fff entry_point = 0x4010000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 381 start_va = 0x4020000 end_va = 0x4020fff entry_point = 0x4020000 region_type = mapped_file name = "{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db") Region: id = 382 start_va = 0x4030000 end_va = 0x4033fff entry_point = 0x4030000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 383 start_va = 0x4040000 end_va = 0x40bffff entry_point = 0x0 region_type = private name = "private_0x0000000004040000" filename = "" Region: id = 384 start_va = 0x40c0000 end_va = 0x40c0fff entry_point = 0x40c0000 region_type = mapped_file name = "{3978ea0a-1c7e-4449-8ae1-e1265f039002}.2.ver0x0000000000000003.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{3978ea0a-1c7e-4449-8ae1-e1265f039002}.2.ver0x0000000000000003.db") Region: id = 385 start_va = 0x40d0000 end_va = 0x40d3fff entry_point = 0x40d0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 386 start_va = 0x40e0000 end_va = 0x40e0fff entry_point = 0x40e0000 region_type = mapped_file name = "{4e36ea69-73d1-4458-9d16-50f8e31a69a0}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{4e36ea69-73d1-4458-9d16-50f8e31a69a0}.2.ver0x0000000000000001.db") Region: id = 387 start_va = 0x40f0000 end_va = 0x40f0fff entry_point = 0x0 region_type = private name = "private_0x00000000040f0000" filename = "" Region: id = 388 start_va = 0x4100000 end_va = 0x4100fff entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 389 start_va = 0x4110000 end_va = 0x4110fff entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 390 start_va = 0x4120000 end_va = 0x4120fff entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 391 start_va = 0x4130000 end_va = 0x4131fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004130000" filename = "" Region: id = 392 start_va = 0x4140000 end_va = 0x41bffff entry_point = 0x0 region_type = private name = "private_0x0000000004140000" filename = "" Region: id = 393 start_va = 0x41c0000 end_va = 0x420ffff entry_point = 0x0 region_type = private name = "private_0x00000000041c0000" filename = "" Region: id = 394 start_va = 0x4210000 end_va = 0x4210fff entry_point = 0x4210000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 395 start_va = 0x4220000 end_va = 0x429ffff entry_point = 0x0 region_type = private name = "private_0x0000000004220000" filename = "" Region: id = 396 start_va = 0x42a0000 end_va = 0x42a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000042a0000" filename = "" Region: id = 397 start_va = 0x42b0000 end_va = 0x42b0fff entry_point = 0x42b0000 region_type = mapped_file name = "wdmaud.drv.mui" filename = "\\Windows\\System32\\en-US\\wdmaud.drv.mui" (normalized: "c:\\windows\\system32\\en-us\\wdmaud.drv.mui") Region: id = 398 start_va = 0x42c0000 end_va = 0x42c0fff entry_point = 0x42c0000 region_type = mapped_file name = "mmdevapi.dll.mui" filename = "\\Windows\\System32\\en-US\\MMDevAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mmdevapi.dll.mui") Region: id = 399 start_va = 0x42d0000 end_va = 0x42d1fff entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 400 start_va = 0x42e0000 end_va = 0x42e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000042e0000" filename = "" Region: id = 401 start_va = 0x42f0000 end_va = 0x42f0fff entry_point = 0x42f0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 402 start_va = 0x4300000 end_va = 0x4301fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004300000" filename = "" Region: id = 403 start_va = 0x4310000 end_va = 0x4310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004310000" filename = "" Region: id = 404 start_va = 0x4320000 end_va = 0x4320fff entry_point = 0x4320000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 405 start_va = 0x4330000 end_va = 0x4362fff entry_point = 0x0 region_type = private name = "private_0x0000000004330000" filename = "" Region: id = 406 start_va = 0x4370000 end_va = 0x4370fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004370000" filename = "" Region: id = 407 start_va = 0x4380000 end_va = 0x4382fff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 408 start_va = 0x4390000 end_va = 0x440ffff entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 409 start_va = 0x4410000 end_va = 0x4410fff entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 410 start_va = 0x4420000 end_va = 0x4421fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004420000" filename = "" Region: id = 411 start_va = 0x4430000 end_va = 0x4430fff entry_point = 0x4430000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\System32\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctf.dll.mui") Region: id = 412 start_va = 0x4440000 end_va = 0x4441fff entry_point = 0x4440000 region_type = mapped_file name = "msutb.dll.mui" filename = "\\Windows\\System32\\en-US\\msutb.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msutb.dll.mui") Region: id = 413 start_va = 0x4450000 end_va = 0x4456fff entry_point = 0x4450000 region_type = mapped_file name = "bthprops.cpl.mui" filename = "\\Windows\\System32\\en-US\\bthprops.cpl.mui" (normalized: "c:\\windows\\system32\\en-us\\bthprops.cpl.mui") Region: id = 414 start_va = 0x4460000 end_va = 0x4461fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004460000" filename = "" Region: id = 415 start_va = 0x4470000 end_va = 0x4471fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004470000" filename = "" Region: id = 416 start_va = 0x4480000 end_va = 0x4483fff entry_point = 0x4480000 region_type = mapped_file name = "prnfldr.dll.mui" filename = "\\Windows\\System32\\en-US\\prnfldr.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\prnfldr.dll.mui") Region: id = 417 start_va = 0x4490000 end_va = 0x44a0fff entry_point = 0x4490000 region_type = mapped_file name = "netshell.dll.mui" filename = "\\Windows\\System32\\en-US\\netshell.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netshell.dll.mui") Region: id = 418 start_va = 0x44b0000 end_va = 0x44b0fff entry_point = 0x44b0000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 419 start_va = 0x44c0000 end_va = 0x44c0fff entry_point = 0x44c0000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 420 start_va = 0x44d0000 end_va = 0x45cffff entry_point = 0x44d0000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 421 start_va = 0x45d0000 end_va = 0x45d0fff entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 422 start_va = 0x45e0000 end_va = 0x45e0fff entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 423 start_va = 0x45f0000 end_va = 0x45f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045f0000" filename = "" Region: id = 424 start_va = 0x4600000 end_va = 0x4600fff entry_point = 0x4600000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 425 start_va = 0x4610000 end_va = 0x4610fff entry_point = 0x4610000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 426 start_va = 0x4620000 end_va = 0x4620fff entry_point = 0x4620000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 427 start_va = 0x4630000 end_va = 0x46affff entry_point = 0x0 region_type = private name = "private_0x0000000004630000" filename = "" Region: id = 428 start_va = 0x46b0000 end_va = 0x46b0fff entry_point = 0x46b0000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 429 start_va = 0x46c0000 end_va = 0x46c0fff entry_point = 0x46c0000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 430 start_va = 0x46d0000 end_va = 0x46d0fff entry_point = 0x46d0000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 431 start_va = 0x46e0000 end_va = 0x46e0fff entry_point = 0x46e0000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 432 start_va = 0x46f0000 end_va = 0x46f0fff entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 433 start_va = 0x4700000 end_va = 0x477ffff entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 434 start_va = 0x47b0000 end_va = 0x482ffff entry_point = 0x0 region_type = private name = "private_0x00000000047b0000" filename = "" Region: id = 435 start_va = 0x4830000 end_va = 0x492ffff entry_point = 0x4830000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 436 start_va = 0x4930000 end_va = 0x49affff entry_point = 0x0 region_type = private name = "private_0x0000000004930000" filename = "" Region: id = 437 start_va = 0x49b0000 end_va = 0x4baffff entry_point = 0x0 region_type = private name = "private_0x00000000049b0000" filename = "" Region: id = 438 start_va = 0x4bb0000 end_va = 0x4caffff entry_point = 0x4bb0000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 439 start_va = 0x4cf0000 end_va = 0x4d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000004cf0000" filename = "" Region: id = 440 start_va = 0x4e60000 end_va = 0x4f1ffff entry_point = 0x4e60000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 441 start_va = 0x4f50000 end_va = 0x4fcffff entry_point = 0x0 region_type = private name = "private_0x0000000004f50000" filename = "" Region: id = 442 start_va = 0x4fd0000 end_va = 0x6324fff entry_point = 0x4fd0000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 443 start_va = 0x6330000 end_va = 0x6732fff entry_point = 0x0 region_type = private name = "private_0x0000000006330000" filename = "" Region: id = 444 start_va = 0x6760000 end_va = 0x67dffff entry_point = 0x0 region_type = private name = "private_0x0000000006760000" filename = "" Region: id = 445 start_va = 0x6800000 end_va = 0x687ffff entry_point = 0x0 region_type = private name = "private_0x0000000006800000" filename = "" Region: id = 446 start_va = 0x6890000 end_va = 0x690ffff entry_point = 0x0 region_type = private name = "private_0x0000000006890000" filename = "" Region: id = 447 start_va = 0x6930000 end_va = 0x69affff entry_point = 0x0 region_type = private name = "private_0x0000000006930000" filename = "" Region: id = 448 start_va = 0x6a10000 end_va = 0x6a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a10000" filename = "" Region: id = 449 start_va = 0x6b60000 end_va = 0x6bdffff entry_point = 0x0 region_type = private name = "private_0x0000000006b60000" filename = "" Region: id = 450 start_va = 0x6c20000 end_va = 0x6c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000006c20000" filename = "" Region: id = 451 start_va = 0x6cd0000 end_va = 0x6d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000006cd0000" filename = "" Region: id = 452 start_va = 0x6e00000 end_va = 0x6e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 453 start_va = 0x6e80000 end_va = 0x6e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006e80000" filename = "" Region: id = 454 start_va = 0x6ec0000 end_va = 0x6f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000006ec0000" filename = "" Region: id = 455 start_va = 0x6fb0000 end_va = 0x702ffff entry_point = 0x0 region_type = private name = "private_0x0000000006fb0000" filename = "" Region: id = 456 start_va = 0x70a0000 end_va = 0x70affff entry_point = 0x0 region_type = private name = "private_0x00000000070a0000" filename = "" Region: id = 457 start_va = 0x70b0000 end_va = 0x712ffff entry_point = 0x0 region_type = private name = "private_0x00000000070b0000" filename = "" Region: id = 458 start_va = 0x7260000 end_va = 0x72dffff entry_point = 0x0 region_type = private name = "private_0x0000000007260000" filename = "" Region: id = 459 start_va = 0x72f0000 end_va = 0x736ffff entry_point = 0x0 region_type = private name = "private_0x00000000072f0000" filename = "" Region: id = 460 start_va = 0x73b0000 end_va = 0x73bffff entry_point = 0x0 region_type = private name = "private_0x00000000073b0000" filename = "" Region: id = 461 start_va = 0x73e0000 end_va = 0x745ffff entry_point = 0x0 region_type = private name = "private_0x00000000073e0000" filename = "" Region: id = 462 start_va = 0x7470000 end_va = 0x74effff entry_point = 0x0 region_type = private name = "private_0x0000000007470000" filename = "" Region: id = 463 start_va = 0x74f0000 end_va = 0x75effff entry_point = 0x0 region_type = private name = "private_0x00000000074f0000" filename = "" Region: id = 464 start_va = 0x7640000 end_va = 0x76bffff entry_point = 0x0 region_type = private name = "private_0x0000000007640000" filename = "" Region: id = 465 start_va = 0x7770000 end_va = 0x77effff entry_point = 0x0 region_type = private name = "private_0x0000000007770000" filename = "" Region: id = 466 start_va = 0x77f0000 end_va = 0x78effff entry_point = 0x77f0000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 467 start_va = 0x78f0000 end_va = 0x79effff entry_point = 0x78f0000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 468 start_va = 0x79f0000 end_va = 0x7aeffff entry_point = 0x79f0000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 469 start_va = 0x7af0000 end_va = 0x7beffff entry_point = 0x7af0000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 470 start_va = 0x7bf0000 end_va = 0x7ceffff entry_point = 0x7bf0000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 471 start_va = 0x7cf0000 end_va = 0x7deffff entry_point = 0x7cf0000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 472 start_va = 0x7df0000 end_va = 0x7eeffff entry_point = 0x7df0000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 473 start_va = 0x7ef0000 end_va = 0x7feffff entry_point = 0x7ef0000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 474 start_va = 0x7ff0000 end_va = 0x80effff entry_point = 0x7ff0000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 475 start_va = 0x80f0000 end_va = 0x84effff entry_point = 0x0 region_type = private name = "private_0x00000000080f0000" filename = "" Region: id = 476 start_va = 0x84f0000 end_va = 0x87effff entry_point = 0x0 region_type = private name = "private_0x00000000084f0000" filename = "" Region: id = 477 start_va = 0x87f0000 end_va = 0x9b44fff entry_point = 0x87f0000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 478 start_va = 0xab50000 end_va = 0xac4ffff entry_point = 0xab50000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 479 start_va = 0xac50000 end_va = 0xad4ffff entry_point = 0xac50000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 480 start_va = 0xad50000 end_va = 0xae4ffff entry_point = 0xad50000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 481 start_va = 0x73b60000 end_va = 0x73b65fff entry_point = 0x73b60000 region_type = mapped_file name = "ksuser.dll" filename = "\\Windows\\System32\\ksuser.dll" (normalized: "c:\\windows\\system32\\ksuser.dll") Region: id = 482 start_va = 0x73b80000 end_va = 0x73baefff entry_point = 0x73b80000 region_type = mapped_file name = "atl90.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895\\ATL90.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895\\atl90.dll") Region: id = 483 start_va = 0x73bb0000 end_va = 0x73c82fff entry_point = 0x73bb0000 region_type = mapped_file name = "msvcp90.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcp90.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcp90.dll") Region: id = 484 start_va = 0x73c90000 end_va = 0x73d32fff entry_point = 0x73c90000 region_type = mapped_file name = "msvcr90.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcr90.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcr90.dll") Region: id = 485 start_va = 0x74fb0000 end_va = 0x75092fff entry_point = 0x74fb0000 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 486 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x77160000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 487 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x77260000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 488 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 489 start_va = 0x77540000 end_va = 0x77546fff entry_point = 0x77540000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 490 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 491 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 492 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 493 start_va = 0xff440000 end_va = 0xff6fffff entry_point = 0xff440000 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 494 start_va = 0x7fef3c10000 end_va = 0x7fef3ce6fff entry_point = 0x7fef3c10000 region_type = mapped_file name = "searchfolder.dll" filename = "\\Windows\\System32\\SearchFolder.dll" (normalized: "c:\\windows\\system32\\searchfolder.dll") Region: id = 495 start_va = 0x7fef3f70000 end_va = 0x7fef3faafff entry_point = 0x7fef3f70000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 496 start_va = 0x7fef4360000 end_va = 0x7fef43fcfff entry_point = 0x7fef4360000 region_type = mapped_file name = "fxsapi.dll" filename = "\\Windows\\System32\\FXSAPI.dll" (normalized: "c:\\windows\\system32\\fxsapi.dll") Region: id = 497 start_va = 0x7fef4400000 end_va = 0x7fef44d6fff entry_point = 0x7fef4400000 region_type = mapped_file name = "fxsst.dll" filename = "\\Windows\\System32\\FXSST.dll" (normalized: "c:\\windows\\system32\\fxsst.dll") Region: id = 498 start_va = 0x7fef44e0000 end_va = 0x7fef4510fff entry_point = 0x7fef44e0000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 499 start_va = 0x7fef4520000 end_va = 0x7fef4574fff entry_point = 0x7fef4520000 region_type = mapped_file name = "hgcpl.dll" filename = "\\Windows\\System32\\hgcpl.dll" (normalized: "c:\\windows\\system32\\hgcpl.dll") Region: id = 500 start_va = 0x7fef4580000 end_va = 0x7fef45fefff entry_point = 0x7fef4580000 region_type = mapped_file name = "imapi2.dll" filename = "\\Windows\\System32\\imapi2.dll" (normalized: "c:\\windows\\system32\\imapi2.dll") Region: id = 501 start_va = 0x7fef4600000 end_va = 0x7fef46c1fff entry_point = 0x7fef4600000 region_type = mapped_file name = "actioncenter.dll" filename = "\\Windows\\System32\\ActionCenter.dll" (normalized: "c:\\windows\\system32\\actioncenter.dll") Region: id = 502 start_va = 0x7fef46d0000 end_va = 0x7fef4723fff entry_point = 0x7fef46d0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 503 start_va = 0x7fef4730000 end_va = 0x7fef52e6fff entry_point = 0x7fef4730000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 504 start_va = 0x7fef52f0000 end_va = 0x7fef53a4fff entry_point = 0x7fef52f0000 region_type = mapped_file name = "bthprops.cpl" filename = "\\Windows\\System32\\bthprops.cpl" (normalized: "c:\\windows\\system32\\bthprops.cpl") Region: id = 505 start_va = 0x7fef53b0000 end_va = 0x7fef5407fff entry_point = 0x7fef53b0000 region_type = mapped_file name = "srchadmin.dll" filename = "\\Windows\\System32\\srchadmin.dll" (normalized: "c:\\windows\\system32\\srchadmin.dll") Region: id = 506 start_va = 0x7fef5410000 end_va = 0x7fef544efff entry_point = 0x7fef5410000 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 507 start_va = 0x7fef5450000 end_va = 0x7fef5494fff entry_point = 0x7fef5450000 region_type = mapped_file name = "qagent.dll" filename = "\\Windows\\System32\\QAGENT.DLL" (normalized: "c:\\windows\\system32\\qagent.dll") Region: id = 508 start_va = 0x7fef54a0000 end_va = 0x7fef54fdfff entry_point = 0x7fef54a0000 region_type = mapped_file name = "wwanapi.dll" filename = "\\Windows\\System32\\WWanAPI.dll" (normalized: "c:\\windows\\system32\\wwanapi.dll") Region: id = 509 start_va = 0x7fef5650000 end_va = 0x7fef580cfff entry_point = 0x7fef5650000 region_type = mapped_file name = "pnidui.dll" filename = "\\Windows\\System32\\pnidui.dll" (normalized: "c:\\windows\\system32\\pnidui.dll") Region: id = 510 start_va = 0x7fef5810000 end_va = 0x7fef5a9afff entry_point = 0x7fef5810000 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 511 start_va = 0x7fef5ac0000 end_va = 0x7fef5ae0fff entry_point = 0x7fef5ac0000 region_type = mapped_file name = "uianimation.dll" filename = "\\Windows\\System32\\UIAnimation.dll" (normalized: "c:\\windows\\system32\\uianimation.dll") Region: id = 512 start_va = 0x7fef5d60000 end_va = 0x7fef5f8afff entry_point = 0x7fef5d60000 region_type = mapped_file name = "synccenter.dll" filename = "\\Windows\\System32\\SyncCenter.dll" (normalized: "c:\\windows\\system32\\synccenter.dll") Region: id = 513 start_va = 0x7fef6170000 end_va = 0x7fef622cfff entry_point = 0x7fef6170000 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 514 start_va = 0x7fef6260000 end_va = 0x7fef626bfff entry_point = 0x7fef6260000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 515 start_va = 0x7fef63d0000 end_va = 0x7fef63d8fff entry_point = 0x7fef63d0000 region_type = mapped_file name = "midimap.dll" filename = "\\Windows\\System32\\midimap.dll" (normalized: "c:\\windows\\system32\\midimap.dll") Region: id = 516 start_va = 0x7fef63e0000 end_va = 0x7fef63f7fff entry_point = 0x7fef63e0000 region_type = mapped_file name = "msacm32.dll" filename = "\\Windows\\System32\\msacm32.dll" (normalized: "c:\\windows\\system32\\msacm32.dll") Region: id = 517 start_va = 0x7fef6400000 end_va = 0x7fef6409fff entry_point = 0x7fef6400000 region_type = mapped_file name = "msacm32.drv" filename = "\\Windows\\System32\\msacm32.drv" (normalized: "c:\\windows\\system32\\msacm32.drv") Region: id = 518 start_va = 0x7fef6410000 end_va = 0x7fef645efff entry_point = 0x7fef6410000 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 519 start_va = 0x7fef6550000 end_va = 0x7fef658afff entry_point = 0x7fef6550000 region_type = mapped_file name = "wdmaud.drv" filename = "\\Windows\\System32\\wdmaud.drv" (normalized: "c:\\windows\\system32\\wdmaud.drv") Region: id = 520 start_va = 0x7fef65a0000 end_va = 0x7fef65dafff entry_point = 0x7fef65a0000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 521 start_va = 0x7fef6830000 end_va = 0x7fef69cbfff entry_point = 0x7fef6830000 region_type = mapped_file name = "networkexplorer.dll" filename = "\\Windows\\System32\\networkexplorer.dll" (normalized: "c:\\windows\\system32\\networkexplorer.dll") Region: id = 522 start_va = 0x7fef69d0000 end_va = 0x7fef69eefff entry_point = 0x7fef69d0000 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 523 start_va = 0x7fef6a00000 end_va = 0x7fef6a7efff entry_point = 0x7fef6a00000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 524 start_va = 0x7fef6a80000 end_va = 0x7fef6abafff entry_point = 0x7fef6a80000 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\System32\\msls31.dll" (normalized: "c:\\windows\\system32\\msls31.dll") Region: id = 525 start_va = 0x7fef6ae0000 end_va = 0x7fef6aecfff entry_point = 0x7fef6ae0000 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 526 start_va = 0x7fef6b90000 end_va = 0x7fef6ea5fff entry_point = 0x7fef6b90000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 527 start_va = 0x7fef6eb0000 end_va = 0x7fef6eb8fff entry_point = 0x7fef6eb0000 region_type = mapped_file name = "msiltcfg.dll" filename = "\\Windows\\System32\\msiltcfg.dll" (normalized: "c:\\windows\\system32\\msiltcfg.dll") Region: id = 528 start_va = 0x7fef6ec0000 end_va = 0x7fef6f3bfff entry_point = 0x7fef6ec0000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 529 start_va = 0x7fef6f40000 end_va = 0x7fef71e2fff entry_point = 0x7fef6f40000 region_type = mapped_file name = "gameux.dll" filename = "\\Windows\\System32\\gameux.dll" (normalized: "c:\\windows\\system32\\gameux.dll") Region: id = 530 start_va = 0x7fef71f0000 end_va = 0x7fef71fbfff entry_point = 0x7fef71f0000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 531 start_va = 0x7fef7200000 end_va = 0x7fef7233fff entry_point = 0x7fef7200000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 532 start_va = 0x7fef7240000 end_va = 0x7fef732dfff entry_point = 0x7fef7240000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 533 start_va = 0x7fef75e0000 end_va = 0x7fef7650fff entry_point = 0x7fef75e0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 534 start_va = 0x7fef7770000 end_va = 0x7fef77f2fff entry_point = 0x7fef7770000 region_type = mapped_file name = "timedate.cpl" filename = "\\Windows\\System32\\timedate.cpl" (normalized: "c:\\windows\\system32\\timedate.cpl") Region: id = 535 start_va = 0x7fef7800000 end_va = 0x7fef7ad1fff entry_point = 0x7fef7800000 region_type = mapped_file name = "themeui.dll" filename = "\\Windows\\System32\\themeui.dll" (normalized: "c:\\windows\\system32\\themeui.dll") Region: id = 536 start_va = 0x7fef7d20000 end_va = 0x7fef7d93fff entry_point = 0x7fef7d20000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 537 start_va = 0x7fef8740000 end_va = 0x7fef8747fff entry_point = 0x7fef8740000 region_type = mapped_file name = "iconcodecservice.dll" filename = "\\Windows\\System32\\IconCodecService.dll" (normalized: "c:\\windows\\system32\\iconcodecservice.dll") Region: id = 538 start_va = 0x7fef8750000 end_va = 0x7fef87cffff entry_point = 0x7fef8750000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 539 start_va = 0x7fef87d0000 end_va = 0x7fef880cfff entry_point = 0x7fef87d0000 region_type = mapped_file name = "msutb.dll" filename = "\\Windows\\System32\\msutb.dll" (normalized: "c:\\windows\\system32\\msutb.dll") Region: id = 540 start_va = 0x7fef8830000 end_va = 0x7fef883efff entry_point = 0x7fef8830000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 541 start_va = 0x7fef8840000 end_va = 0x7fef884bfff entry_point = 0x7fef8840000 region_type = mapped_file name = "cscdll.dll" filename = "\\Windows\\System32\\cscdll.dll" (normalized: "c:\\windows\\system32\\cscdll.dll") Region: id = 542 start_va = 0x7fef8850000 end_va = 0x7fef88cdfff entry_point = 0x7fef8850000 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 543 start_va = 0x7fef88d0000 end_va = 0x7fef9133fff entry_point = 0x7fef88d0000 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\PROGRA~1\\MICROS~1\\Office14\\1033\\GrooveIntlResource.dll" (normalized: "c:\\progra~1\\micros~1\\office14\\1033\\grooveintlresource.dll") Region: id = 544 start_va = 0x7fef9140000 end_va = 0x7fef9559fff entry_point = 0x7fef9140000 region_type = mapped_file name = "office.odf" filename = "\\PROGRA~1\\COMMON~1\\MICROS~1\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\progra~1\\common~1\\micros~1\\office14\\cultures\\office.odf") Region: id = 545 start_va = 0x7fef9560000 end_va = 0x7fef9bd0fff entry_point = 0x7fef9560000 region_type = mapped_file name = "grooveex.dll" filename = "\\PROGRA~1\\MICROS~1\\Office14\\GROOVEEX.DLL" (normalized: "c:\\progra~1\\micros~1\\office14\\grooveex.dll") Region: id = 546 start_va = 0x7fef9be0000 end_va = 0x7fef9c14fff entry_point = 0x7fef9be0000 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 547 start_va = 0x7fef9c20000 end_va = 0x7fef9c76fff entry_point = 0x7fef9c20000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 548 start_va = 0x7fef9c80000 end_va = 0x7fef9e49fff entry_point = 0x7fef9c80000 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 549 start_va = 0x7fefa550000 end_va = 0x7fefa567fff entry_point = 0x7fefa550000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 550 start_va = 0x7fefa5b0000 end_va = 0x7fefa5cffff entry_point = 0x7fefa5b0000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 551 start_va = 0x7fefa610000 end_va = 0x7fefa62efff entry_point = 0x7fefa610000 region_type = mapped_file name = "qutil.dll" filename = "\\Windows\\System32\\QUTIL.DLL" (normalized: "c:\\windows\\system32\\qutil.dll") Region: id = 552 start_va = 0x7fefa630000 end_va = 0x7fefa668fff entry_point = 0x7fefa630000 region_type = mapped_file name = "portabledevicetypes.dll" filename = "\\Windows\\System32\\PortableDeviceTypes.dll" (normalized: "c:\\windows\\system32\\portabledevicetypes.dll") Region: id = 553 start_va = 0x7fefa670000 end_va = 0x7fefa68ffff entry_point = 0x7fefa670000 region_type = mapped_file name = "wpdshserviceobj.dll" filename = "\\Windows\\System32\\WPDShServiceObj.dll" (normalized: "c:\\windows\\system32\\wpdshserviceobj.dll") Region: id = 554 start_va = 0x7fefa820000 end_va = 0x7fefa826fff entry_point = 0x7fefa820000 region_type = mapped_file name = "wlanutil.dll" filename = "\\Windows\\System32\\wlanutil.dll" (normalized: "c:\\windows\\system32\\wlanutil.dll") Region: id = 555 start_va = 0x7fefa830000 end_va = 0x7fefa83ffff entry_point = 0x7fefa830000 region_type = mapped_file name = "alttab.dll" filename = "\\Windows\\System32\\AltTab.dll" (normalized: "c:\\windows\\system32\\alttab.dll") Region: id = 556 start_va = 0x7fefa840000 end_va = 0x7fefa84afff entry_point = 0x7fefa840000 region_type = mapped_file name = "ehsso.dll" filename = "\\Windows\\ehome\\ehSSO.dll" (normalized: "c:\\windows\\ehome\\ehsso.dll") Region: id = 557 start_va = 0x7fefa850000 end_va = 0x7fefa8c3fff entry_point = 0x7fefa850000 region_type = mapped_file name = "dxp.dll" filename = "\\Windows\\System32\\DXP.dll" (normalized: "c:\\windows\\system32\\dxp.dll") Region: id = 558 start_va = 0x7fefa8d0000 end_va = 0x7fefa938fff entry_point = 0x7fefa8d0000 region_type = mapped_file name = "prnfldr.dll" filename = "\\Windows\\System32\\prnfldr.dll" (normalized: "c:\\windows\\system32\\prnfldr.dll") Region: id = 559 start_va = 0x7fefa960000 end_va = 0x7fefa975fff entry_point = 0x7fefa960000 region_type = mapped_file name = "syncreg.dll" filename = "\\Windows\\System32\\Syncreg.dll" (normalized: "c:\\windows\\system32\\syncreg.dll") Region: id = 560 start_va = 0x7fefa980000 end_va = 0x7fefaa39fff entry_point = 0x7fefa980000 region_type = mapped_file name = "batmeter.dll" filename = "\\Windows\\System32\\batmeter.dll" (normalized: "c:\\windows\\system32\\batmeter.dll") Region: id = 561 start_va = 0x7fefaa40000 end_va = 0x7fefaa82fff entry_point = 0x7fefaa40000 region_type = mapped_file name = "stobject.dll" filename = "\\Windows\\System32\\stobject.dll" (normalized: "c:\\windows\\system32\\stobject.dll") Region: id = 562 start_va = 0x7fefad30000 end_va = 0x7fefad47fff entry_point = 0x7fefad30000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 563 start_va = 0x7fefad50000 end_va = 0x7fefad60fff entry_point = 0x7fefad50000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 564 start_va = 0x7fefaed0000 end_va = 0x7fefaedafff entry_point = 0x7fefaed0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 565 start_va = 0x7fefaee0000 end_va = 0x7fefaf06fff entry_point = 0x7fefaee0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 566 start_va = 0x7fefaf50000 end_va = 0x7fefafb6fff entry_point = 0x7fefaf50000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 567 start_va = 0x7fefafc0000 end_va = 0x7fefafcafff entry_point = 0x7fefafc0000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 568 start_va = 0x7fefaff0000 end_va = 0x7fefb008fff entry_point = 0x7fefaff0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 569 start_va = 0x7fefb050000 end_va = 0x7fefb064fff entry_point = 0x7fefb050000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 570 start_va = 0x7fefb180000 end_va = 0x7fefb2a6fff entry_point = 0x7fefb180000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 571 start_va = 0x7fefb3b0000 end_va = 0x7fefb3b8fff entry_point = 0x7fefb3b0000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 572 start_va = 0x7fefb3c0000 end_va = 0x7fefb3ebfff entry_point = 0x7fefb3c0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 573 start_va = 0x7fefb4a0000 end_va = 0x7fefb4ccfff entry_point = 0x7fefb4a0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 574 start_va = 0x7fefb4d0000 end_va = 0x7fefb4e3fff entry_point = 0x7fefb4d0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 575 start_va = 0x7fefb4f0000 end_va = 0x7fefb504fff entry_point = 0x7fefb4f0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 576 start_va = 0x7fefb510000 end_va = 0x7fefb51bfff entry_point = 0x7fefb510000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 577 start_va = 0x7fefb540000 end_va = 0x7fefb605fff entry_point = 0x7fefb540000 region_type = mapped_file name = "msftedit.dll" filename = "\\Windows\\System32\\msftedit.dll" (normalized: "c:\\windows\\system32\\msftedit.dll") Region: id = 578 start_va = 0x7fefb650000 end_va = 0x7fefb660fff entry_point = 0x7fefb650000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 579 start_va = 0x7fefb680000 end_va = 0x7fefb7a9fff entry_point = 0x7fefb680000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 580 start_va = 0x7fefb7b0000 end_va = 0x7fefb7e4fff entry_point = 0x7fefb7b0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 581 start_va = 0x7fefb7f0000 end_va = 0x7fefb807fff entry_point = 0x7fefb7f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 582 start_va = 0x7fefb810000 end_va = 0x7fefb85afff entry_point = 0x7fefb810000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 583 start_va = 0x7fefb860000 end_va = 0x7fefb86afff entry_point = 0x7fefb860000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 584 start_va = 0x7fefb870000 end_va = 0x7fefb8aafff entry_point = 0x7fefb870000 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 585 start_va = 0x7fefb8b0000 end_va = 0x7fefb8f2fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 586 start_va = 0x7fefb900000 end_va = 0x7fefb9f1fff entry_point = 0x7fefb900000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 587 start_va = 0x7fefba00000 end_va = 0x7fefbc14fff entry_point = 0x7fefba00000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 588 start_va = 0x7fefbc20000 end_va = 0x7fefbc75fff entry_point = 0x7fefbc20000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 589 start_va = 0x7fefbc80000 end_va = 0x7fefbdabfff entry_point = 0x7fefbc80000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 590 start_va = 0x7fefbdb0000 end_va = 0x7fefbdccfff entry_point = 0x7fefbdb0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 591 start_va = 0x7fefbdd0000 end_va = 0x7fefbdf3fff entry_point = 0x7fefbdd0000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 592 start_va = 0x7fefbe00000 end_va = 0x7fefbff3fff entry_point = 0x7fefbe00000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 593 start_va = 0x7fefc000000 end_va = 0x7fefc108fff entry_point = 0x7fefc000000 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 594 start_va = 0x7fefc110000 end_va = 0x7fefc2e9fff entry_point = 0x7fefc110000 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 595 start_va = 0x7fefc490000 end_va = 0x7fefc49bfff entry_point = 0x7fefc490000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 596 start_va = 0x7fefc670000 end_va = 0x7fefc68dfff entry_point = 0x7fefc670000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 597 start_va = 0x7fefc7c0000 end_va = 0x7fefc7c9fff entry_point = 0x7fefc7c0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 598 start_va = 0x7fefc8c0000 end_va = 0x7fefc906fff entry_point = 0x7fefc8c0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 599 start_va = 0x7fefcbc0000 end_va = 0x7fefcbd6fff entry_point = 0x7fefcbc0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 600 start_va = 0x7fefcdb0000 end_va = 0x7fefce1cfff entry_point = 0x7fefcdb0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 601 start_va = 0x7fefd0c0000 end_va = 0x7fefd0e2fff entry_point = 0x7fefd0c0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 602 start_va = 0x7fefd160000 end_va = 0x7fefd16afff entry_point = 0x7fefd160000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 603 start_va = 0x7fefd190000 end_va = 0x7fefd1b4fff entry_point = 0x7fefd190000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 604 start_va = 0x7fefd1c0000 end_va = 0x7fefd1cefff entry_point = 0x7fefd1c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 605 start_va = 0x7fefd1d0000 end_va = 0x7fefd260fff entry_point = 0x7fefd1d0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 606 start_va = 0x7fefd270000 end_va = 0x7fefd2acfff entry_point = 0x7fefd270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 607 start_va = 0x7fefd2b0000 end_va = 0x7fefd2c3fff entry_point = 0x7fefd2b0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 608 start_va = 0x7fefd2d0000 end_va = 0x7fefd2defff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 609 start_va = 0x7fefd370000 end_va = 0x7fefd37efff entry_point = 0x7fefd370000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 610 start_va = 0x7fefd380000 end_va = 0x7fefd3b5fff entry_point = 0x7fefd380000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 611 start_va = 0x7fefd3c0000 end_va = 0x7fefd3d9fff entry_point = 0x7fefd3c0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 612 start_va = 0x7fefd3e0000 end_va = 0x7fefd419fff entry_point = 0x7fefd3e0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 613 start_va = 0x7fefd420000 end_va = 0x7fefd586fff entry_point = 0x7fefd420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 614 start_va = 0x7fefd630000 end_va = 0x7fefd69afff entry_point = 0x7fefd630000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 615 start_va = 0x7fefd6a0000 end_va = 0x7fefd6ecfff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 616 start_va = 0x7fefd710000 end_va = 0x7fefd776fff entry_point = 0x7fefd710000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 617 start_va = 0x7fefd780000 end_va = 0x7fefe507fff entry_point = 0x7fefd780000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 618 start_va = 0x7fefe510000 end_va = 0x7fefe6e6fff entry_point = 0x7fefe510000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 619 start_va = 0x7fefe6f0000 end_va = 0x7fefe788fff entry_point = 0x7fefe6f0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 620 start_va = 0x7fefe830000 end_va = 0x7fefea32fff entry_point = 0x7fefe830000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 621 start_va = 0x7fefea40000 end_va = 0x7fefea6dfff entry_point = 0x7fefea40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 622 start_va = 0x7fefea70000 end_va = 0x7fefecc8fff entry_point = 0x7fefea70000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 623 start_va = 0x7fefecd0000 end_va = 0x7fefedd8fff entry_point = 0x7fefecd0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 624 start_va = 0x7fefede0000 end_va = 0x7fefeeb6fff entry_point = 0x7fefede0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 625 start_va = 0x7fefeec0000 end_va = 0x7fefeec7fff entry_point = 0x7fefeec0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 626 start_va = 0x7fefeed0000 end_va = 0x7fefef21fff entry_point = 0x7fefeed0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 627 start_va = 0x7fefef30000 end_va = 0x7feff00afff entry_point = 0x7fefef30000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 628 start_va = 0x7feff010000 end_va = 0x7feff187fff entry_point = 0x7feff010000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 629 start_va = 0x7feff190000 end_va = 0x7feff2bcfff entry_point = 0x7feff190000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 630 start_va = 0x7feff2c0000 end_va = 0x7feff35efff entry_point = 0x7feff2c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 631 start_va = 0x7feff360000 end_va = 0x7feff489fff entry_point = 0x7feff360000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 632 start_va = 0x7feff490000 end_va = 0x7feff49dfff entry_point = 0x7feff490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 633 start_va = 0x7feff520000 end_va = 0x7feff5e8fff entry_point = 0x7feff520000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 634 start_va = 0x7feff5f0000 end_va = 0x7feff60efff entry_point = 0x7feff5f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 635 start_va = 0x7feff610000 end_va = 0x7feff680fff entry_point = 0x7feff610000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 636 start_va = 0x7feff6a0000 end_va = 0x7feff6a0fff entry_point = 0x7feff6a0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 637 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 638 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 639 start_va = 0x7fffff80000 end_va = 0x7fffff81fff entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 640 start_va = 0x7fffff82000 end_va = 0x7fffff83fff entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 641 start_va = 0x7fffff86000 end_va = 0x7fffff87fff entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 642 start_va = 0x7fffff88000 end_va = 0x7fffff89fff entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 643 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 644 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 645 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 646 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 647 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 648 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 649 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 650 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 651 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 652 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 653 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 654 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 655 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 656 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 657 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 658 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 659 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 660 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 661 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 662 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 663 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 664 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 665 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 666 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 667 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 668 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 935 start_va = 0x6d30000 end_va = 0x6daffff entry_point = 0x0 region_type = private name = "private_0x0000000006d30000" filename = "" Region: id = 936 start_va = 0x9b50000 end_va = 0xa031fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009b50000" filename = "" Region: id = 937 start_va = 0x2d10000 end_va = 0x2d81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d10000" filename = "" Region: id = 1016 start_va = 0x4330000 end_va = 0x4360fff entry_point = 0x0 region_type = private name = "private_0x0000000004330000" filename = "" Region: id = 1017 start_va = 0x7fef5ab0000 end_va = 0x7fef5ab7fff entry_point = 0x7fef5ab0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Thread: id = 5 os_tid = 0x540 Thread: id = 6 os_tid = 0x5a4 Thread: id = 7 os_tid = 0x758 Thread: id = 8 os_tid = 0x774 Thread: id = 9 os_tid = 0x73c Thread: id = 10 os_tid = 0x71c Thread: id = 11 os_tid = 0x718 Thread: id = 12 os_tid = 0x704 Thread: id = 13 os_tid = 0x278 Thread: id = 14 os_tid = 0x6bc Thread: id = 15 os_tid = 0x6ec Thread: id = 16 os_tid = 0x480 Thread: id = 17 os_tid = 0x47c Thread: id = 18 os_tid = 0x7d4 Thread: id = 19 os_tid = 0x7d0 Thread: id = 20 os_tid = 0x734 Thread: id = 21 os_tid = 0x6b0 Thread: id = 22 os_tid = 0x67c Thread: id = 23 os_tid = 0x678 Thread: id = 24 os_tid = 0x674 Thread: id = 25 os_tid = 0x670 Thread: id = 26 os_tid = 0x66c Thread: id = 27 os_tid = 0x660 Thread: id = 28 os_tid = 0x65c Thread: id = 29 os_tid = 0x654 Thread: id = 30 os_tid = 0x630 Thread: id = 31 os_tid = 0x59c Thread: id = 32 os_tid = 0x598 Thread: id = 33 os_tid = 0x594 Thread: id = 34 os_tid = 0x590 Thread: id = 35 os_tid = 0x58c Thread: id = 36 os_tid = 0x570 Thread: id = 37 os_tid = 0x568 [0057.111] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\autofmt.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x800000c, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18eff8*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18efd0, hNewToken=0x0 | out: lpProcessInformation=0x18efd0*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0), hNewToken=0x0) returned 0 [0057.173] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\msiexec.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x800000c, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18eff8*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18efd0, hNewToken=0x0 | out: lpProcessInformation=0x18efd0*(hProcess=0x854, hThread=0x83c, dwProcessId=0xa38, dwThreadId=0xa3c), hNewToken=0x0) returned 1 [0080.755] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x18ea60 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0080.778] RtlIntegerToChar (in: Value=0x564, Base=0x0, Length=0x20, String=0x18f030 | out: String="1380") returned 0x0 [0080.778] RtlIntegerToChar (in: Value=0x6ae232c9, Base=0x0, Length=0x20, String=0x18f030 | out: String="1793209033") returned 0x0 [0080.778] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="S-1-5-21-3388679-13801793209033") returned 0xe4 [0080.778] GetLastError () returned 0x0 [0080.797] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x18e7e0 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0080.804] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x18eae0 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0080.819] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18ec98*=0x77176110, NumberOfBytesToProtect=0x18ec90, NewAccessProtection=0x40, OldAccessProtection=0x18ede0 | out: BaseAddress=0x18ec98*=0x77176000, NumberOfBytesToProtect=0x18ec90, OldAccessProtection=0x18ede0*=0x20) returned 0x0 [0080.822] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18ec98*=0x77176110, NumberOfBytesToProtect=0x18ec90, NewAccessProtection=0x20, OldAccessProtection=0x18ede0 | out: BaseAddress=0x18ec98*=0x77176000, NumberOfBytesToProtect=0x18ec90, OldAccessProtection=0x18ede0*=0x40) returned 0x0 [0080.825] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18ec98*=0x77179e74, NumberOfBytesToProtect=0x18ec90, NewAccessProtection=0x40, OldAccessProtection=0x18ede0 | out: BaseAddress=0x18ec98*=0x77179000, NumberOfBytesToProtect=0x18ec90, OldAccessProtection=0x18ede0*=0x20) returned 0x0 [0080.828] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18ec98*=0x77179e74, NumberOfBytesToProtect=0x18ec90, NewAccessProtection=0x20, OldAccessProtection=0x18ede0 | out: BaseAddress=0x18ec98*=0x77179000, NumberOfBytesToProtect=0x18ec90, OldAccessProtection=0x18ede0*=0x40) returned 0x0 [0080.830] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18ec98*=0x77173a18, NumberOfBytesToProtect=0x18ec90, NewAccessProtection=0x40, OldAccessProtection=0x18ede0 | out: BaseAddress=0x18ec98*=0x77173000, NumberOfBytesToProtect=0x18ec90, OldAccessProtection=0x18ede0*=0x20) returned 0x0 [0080.833] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18ec98*=0x77173a18, NumberOfBytesToProtect=0x18ec90, NewAccessProtection=0x20, OldAccessProtection=0x18ede0 | out: BaseAddress=0x18ec98*=0x77173000, NumberOfBytesToProtect=0x18ec90, OldAccessProtection=0x18ede0*=0x40) returned 0x0 [0080.836] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18ec98*=0x77178fd0, NumberOfBytesToProtect=0x18ec90, NewAccessProtection=0x40, OldAccessProtection=0x18ede0 | out: BaseAddress=0x18ec98*=0x77178000, NumberOfBytesToProtect=0x18ec90, OldAccessProtection=0x18ede0*=0x20) returned 0x0 [0080.839] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18ec98*=0x77178fd0, NumberOfBytesToProtect=0x18ec90, NewAccessProtection=0x20, OldAccessProtection=0x18ede0 | out: BaseAddress=0x18ec98*=0x77178000, NumberOfBytesToProtect=0x18ec90, OldAccessProtection=0x18ede0*=0x40) returned 0x0 [0080.841] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18ee60 | out: lpWSAData=0x18ee60) returned 0 Thread: id = 44 os_tid = 0xa7c Thread: id = 47 os_tid = 0xb10 Thread: id = 48 os_tid = 0xb5c Thread: id = 49 os_tid = 0xb60 Thread: id = 50 os_tid = 0xb88 Process: id = "4" image_name = "autofmt.exe" filename = "c:\\windows\\syswow64\\autofmt.exe" page_root = "0x6230c000" os_pid = "0xa30" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x564" cmd_line = "\"C:\\Windows\\SysWOW64\\autofmt.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 685 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 686 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 687 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 688 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 689 start_va = 0x200000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 690 start_va = 0xb80000 end_va = 0xc23fff entry_point = 0xb80000 region_type = mapped_file name = "autofmt.exe" filename = "\\Windows\\SysWOW64\\autofmt.exe" (normalized: "c:\\windows\\syswow64\\autofmt.exe") Region: id = 691 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 692 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 693 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 694 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 695 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 696 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 697 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 698 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 699 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Thread: id = 38 os_tid = 0xa34 Process: id = "5" image_name = "msiexec.exe" filename = "c:\\windows\\syswow64\\msiexec.exe" page_root = "0x62512000" os_pid = "0xa38" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x564" cmd_line = "\"C:\\Windows\\SysWOW64\\msiexec.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 700 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 701 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 702 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 703 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 704 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 705 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 706 start_va = 0x160000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 707 start_va = 0x9e0000 end_va = 0x9f3fff entry_point = 0x9e0000 region_type = mapped_file name = "msiexec.exe" filename = "\\Windows\\SysWOW64\\msiexec.exe" (normalized: "c:\\windows\\syswow64\\msiexec.exe") Region: id = 708 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 709 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 710 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 711 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 712 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 713 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 714 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 715 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 716 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 718 start_va = 0xd0000 end_va = 0xf3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 720 start_va = 0x9e0000 end_va = 0x9f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 721 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 722 start_va = 0x73a70000 end_va = 0x73acbfff entry_point = 0x73aaf798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 723 start_va = 0x73ad0000 end_va = 0x73b0efff entry_point = 0x73afde78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 724 start_va = 0x73b40000 end_va = 0x73b47fff entry_point = 0x73b420f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 725 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 726 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 727 start_va = 0x3c0000 end_va = 0x426fff entry_point = 0x3c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 728 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 729 start_va = 0x74900000 end_va = 0x74b3ffff entry_point = 0x74900000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 730 start_va = 0x750b0000 end_va = 0x750bbfff entry_point = 0x750b10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 731 start_va = 0x750c0000 end_va = 0x7511ffff entry_point = 0x750da3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 732 start_va = 0x75120000 end_va = 0x7521ffff entry_point = 0x7513b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 733 start_va = 0x75240000 end_va = 0x75258fff entry_point = 0x75244975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 734 start_va = 0x75260000 end_va = 0x7530bfff entry_point = 0x7526a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 735 start_va = 0x75320000 end_va = 0x75365fff entry_point = 0x75327478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 736 start_va = 0x753c0000 end_va = 0x754affff entry_point = 0x753d0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 737 start_va = 0x754e0000 end_va = 0x7556ffff entry_point = 0x754f6343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 738 start_va = 0x75570000 end_va = 0x756cbfff entry_point = 0x755bba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 739 start_va = 0x765b0000 end_va = 0x766bffff entry_point = 0x765c32d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 740 start_va = 0x76750000 end_va = 0x76759fff entry_point = 0x767536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 741 start_va = 0x76760000 end_va = 0x767fffff entry_point = 0x767749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 742 start_va = 0x76b30000 end_va = 0x76bccfff entry_point = 0x76b63fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 743 start_va = 0x77100000 end_va = 0x77156fff entry_point = 0x77119ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 744 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x0 region_type = private name = "private_0x0000000077160000" filename = "" Region: id = 745 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x0 region_type = private name = "private_0x0000000077260000" filename = "" Region: id = 746 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 747 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 748 start_va = 0x4f0000 end_va = 0x677fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 749 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a0168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 750 start_va = 0x76ad0000 end_va = 0x76b2ffff entry_point = 0x76ae158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 751 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 752 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 753 start_va = 0x70000 end_va = 0x70fff entry_point = 0x70000 region_type = mapped_file name = "msiexec.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\msiexec.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\msiexec.exe.mui") Region: id = 754 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 755 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 756 start_va = 0x680000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 757 start_va = 0xa00000 end_va = 0x1dfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 758 start_va = 0x1e00000 end_va = 0x1f80fff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 759 start_va = 0x1f90000 end_va = 0x2292fff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 760 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 869 start_va = 0x110000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 870 start_va = 0x430000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 871 start_va = 0x470000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 872 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 873 start_va = 0x1a0000 end_va = 0x1c3fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 874 start_va = 0x810000 end_va = 0x874fff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 875 start_va = 0x880000 end_va = 0x8e4fff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 876 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 877 start_va = 0x22a0000 end_va = 0x2781fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022a0000" filename = "" Region: id = 878 start_va = 0x1e00000 end_va = 0x1efafff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 879 start_va = 0x768e0000 end_va = 0x769fcfff entry_point = 0x768e0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 880 start_va = 0x77530000 end_va = 0x7753bfff entry_point = 0x77530000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 881 start_va = 0x2790000 end_va = 0x2984fff entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 882 start_va = 0x738b0000 end_va = 0x7392ffff entry_point = 0x738c37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 883 start_va = 0x2990000 end_va = 0x2b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 884 start_va = 0x8f0000 end_va = 0x9cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 885 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 886 start_va = 0x756d0000 end_va = 0x75752fff entry_point = 0x756d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 887 start_va = 0x763e0000 end_va = 0x7646efff entry_point = 0x763e3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 888 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 889 start_va = 0x73e80000 end_va = 0x748fffff entry_point = 0x73e80000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\SysWOW64\\ieframe.dll" (normalized: "c:\\windows\\syswow64\\ieframe.dll") Region: id = 890 start_va = 0x75370000 end_va = 0x75374fff entry_point = 0x75370000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 891 start_va = 0x74f70000 end_va = 0x74fabfff entry_point = 0x74f70000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 892 start_va = 0x75790000 end_va = 0x763d9fff entry_point = 0x75811601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 893 start_va = 0x76d30000 end_va = 0x76f2afff entry_point = 0x76d30000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 894 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x1e0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 895 start_va = 0x270000 end_va = 0x271fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 896 start_va = 0x74dd0000 end_va = 0x74f6dfff entry_point = 0x74dd0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 897 start_va = 0x280000 end_va = 0x280fff entry_point = 0x280000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 898 start_va = 0x290000 end_va = 0x291fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 899 start_va = 0x2ba0000 end_va = 0x2e6efff entry_point = 0x2ba0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 900 start_va = 0x74da0000 end_va = 0x74dcdfff entry_point = 0x74da0000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\SysWOW64\\mlang.dll" (normalized: "c:\\windows\\syswow64\\mlang.dll") Region: id = 901 start_va = 0x76be0000 end_va = 0x76cd4fff entry_point = 0x76be0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 902 start_va = 0x76470000 end_va = 0x765a5fff entry_point = 0x76470000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 903 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 904 start_va = 0x74d90000 end_va = 0x74d9afff entry_point = 0x74d90000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 905 start_va = 0x2a0000 end_va = 0x2abfff entry_point = 0x2a0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 906 start_va = 0x2b0000 end_va = 0x2b7fff entry_point = 0x2b0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 907 start_va = 0x4b0000 end_va = 0x4b7fff entry_point = 0x4b0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 908 start_va = 0x74d60000 end_va = 0x74d80fff entry_point = 0x74d60000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 909 start_va = 0x76ce0000 end_va = 0x76d24fff entry_point = 0x76ce0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 910 start_va = 0x74d50000 end_va = 0x74d58fff entry_point = 0x74d50000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 911 start_va = 0x1f00000 end_va = 0x1f3ffff entry_point = 0x1f00000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\ietldcache\\index.dat") Region: id = 912 start_va = 0x2e70000 end_va = 0x31b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e70000" filename = "" Region: id = 913 start_va = 0x74b90000 end_va = 0x74d44fff entry_point = 0x74b90000 region_type = mapped_file name = "nss3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\nss3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nss3.dll") Region: id = 914 start_va = 0x74f70000 end_va = 0x74fa1fff entry_point = 0x74f70000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 915 start_va = 0x74b80000 end_va = 0x74b86fff entry_point = 0x74b80000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 916 start_va = 0x75380000 end_va = 0x753b4fff entry_point = 0x75380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 917 start_va = 0x76bd0000 end_va = 0x76bd5fff entry_point = 0x76bd0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 918 start_va = 0x74840000 end_va = 0x748fefff entry_point = 0x74840000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Windows\\SysWOW64\\msvcr100.dll" (normalized: "c:\\windows\\syswow64\\msvcr100.dll") Region: id = 919 start_va = 0x74fa0000 end_va = 0x74fabfff entry_point = 0x74fa0000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\SysWOW64\\vaultcli.dll" (normalized: "c:\\windows\\syswow64\\vaultcli.dll") Region: id = 920 start_va = 0x27d0000 end_va = 0x280ffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 921 start_va = 0x2810000 end_va = 0x284ffff entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 922 start_va = 0x74bc0000 end_va = 0x74d4ffff entry_point = 0x74bc0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 923 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 924 start_va = 0x2850000 end_va = 0x292ffff entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 925 start_va = 0x28a0000 end_va = 0x28dffff entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 926 start_va = 0x2920000 end_va = 0x292ffff entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 927 start_va = 0x2940000 end_va = 0x297ffff entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 928 start_va = 0x31c0000 end_va = 0x36b1fff entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 929 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 930 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 931 start_va = 0x74800000 end_va = 0x748fafff entry_point = 0x74800000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll") Region: id = 932 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 933 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 934 start_va = 0x2980000 end_va = 0x2a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 938 start_va = 0x2850000 end_va = 0x28c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002850000" filename = "" Region: id = 957 start_va = 0x2850000 end_va = 0x28dafff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002850000" filename = "" Region: id = 959 start_va = 0x1f40000 end_va = 0x1f83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 961 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1018 start_va = 0x140000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Thread: id = 39 os_tid = 0xa3c [0060.219] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x19efac | out: HeapArray=0x19efac*=0x2c0000) returned 0x2 [0060.225] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x19ef60, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0060.226] NtCreateFile (in: FileHandle=0x19ef8c, DesiredAccess=0x120089, ObjectAttributes=0x19ef48*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19ef68, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19ef8c*=0x84, IoStatusBlock=0x19ef68*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0060.235] NtQueryInformationFile (in: FileHandle=0x84, IoStatusBlock=0x19ef68, FileInformation=0x19eec0, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19ef68, FileInformation=0x19eec0) returned 0x0 [0060.296] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x19ef00, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0060.296] NtCreateFile (in: FileHandle=0x19ef2c, DesiredAccess=0x120089, ObjectAttributes=0x19eee8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19ef08, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19ef2c*=0x84, IoStatusBlock=0x19ef08*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0060.296] NtQueryInformationFile (in: FileHandle=0x84, IoStatusBlock=0x19ef08, FileInformation=0x19ec7c, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x19ef08, FileInformation=0x19ec7c) returned 0x0 [0060.296] NtClose (Handle=0x84) returned 0x0 [0060.299] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x73b41320, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19ef38, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19ef38*(BaseAddress=0x73b41000, AllocationBase=0x73b40000, AllocationProtect=0x80, RegionSize=0x3000, State=0x1000, Protect=0x20, Type=0x1000000), ResultLength=0x0) returned 0x0 [0060.636] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x19ef90, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x19ef90, ResultLength=0x0) returned 0x0 [0060.639] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x19efb4, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x19efb4, ReturnLength=0x0) returned 0x0 [0060.652] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19ec44*=0x0, ZeroBits=0x0, RegionSize=0x19ec48*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19ec44*=0x110000, RegionSize=0x19ec48*=0x10000) returned 0x0 [0060.657] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x110000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x110000, ResultLength=0x0) returned 0x0 [0060.669] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19efa4*=0x110000, RegionSize=0x19efa8, FreeType=0x8000) returned 0x0 [0060.680] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19ed60 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0060.683] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x19efbc | out: TokenHandle=0x19efbc*=0x84) returned 0x0 [0060.686] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x19efb0 | out: lpLuid=0x19efb0*(LowPart=0x14, HighPart=0)) returned 1 [0060.689] NtAdjustPrivilegesToken (in: TokenHandle=0x84, DisableAllPrivileges=0, NewState=0x19efac, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x106 [0060.691] NtClose (Handle=0x84) returned 0x0 [0060.691] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19eb04 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0060.691] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="L53886-W", Value=0x19ed9c | out: Value=0x19ed9c) returned 0xc0000100 [0060.691] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19e8e4 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0060.694] NtOpenDirectoryObject (in: FileHandle=0x19eb90, DesiredAccess=0x2000f, ObjectAttributes=0x19eb5c*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0x19eb90*=0x84) returned 0x0 [0060.696] NtCreateMutant (in: MutantHandle=0x19edbc, DesiredAccess=0x1f0001, ObjectAttributes=0x19eb44*(Length=0x18, RootDirectory=0x84, ObjectName="L53886-WGVVJKAFC", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0x19edbc*=0xc8) returned 0x0 [0060.696] NtClose (Handle=0x84) returned 0x0 [0060.696] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19e8e0 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0060.696] NtOpenDirectoryObject (in: FileHandle=0x19eb88, DesiredAccess=0x2000f, ObjectAttributes=0x19eb54*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0x19eb88*=0x84) returned 0x0 [0060.696] NtCreateMutant (in: MutantHandle=0x19edb4, DesiredAccess=0x1f0001, ObjectAttributes=0x19eb3c*(Length=0x18, RootDirectory=0x84, ObjectName="8Q-59UAVA1ZvGWMZ", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0x19edb4*=0xcc) returned 0x0 [0060.697] NtClose (Handle=0x84) returned 0x0 [0060.704] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERPROFILE", Value=0x19eaf4 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x0 [0060.711] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\lxqfwvdqlkd.exe", NtPathName=0x19eac0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\lxqfwvdqlkd.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0060.713] NtCreateFile (in: FileHandle=0x19eaec, DesiredAccess=0x120089, ObjectAttributes=0x19eaa8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\lxqfwvdqlkd.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eac8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19eaec*=0x0, IoStatusBlock=0x19eac8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0060.713] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x19eaf4 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0060.713] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lxqfwvdqlkd.exe", NtPathName=0x19eac0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lxqfwvdqlkd.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0060.714] NtCreateFile (in: FileHandle=0x19eaec, DesiredAccess=0x120089, ObjectAttributes=0x19eaa8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\lxqfwvdqlkd.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eac8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19eaec*=0x0, IoStatusBlock=0x19eac8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0060.714] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="TEMP", Value=0x19eaf4 | out: Value="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x0 [0060.714] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\lxqfwvdqlkd.exe", NtPathName=0x19eac0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\lxqfwvdqlkd.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0060.714] NtCreateFile (in: FileHandle=0x19eaec, DesiredAccess=0x120089, ObjectAttributes=0x19eaa8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\lxqfwvdqlkd.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eac8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19eaec*=0x0, IoStatusBlock=0x19eac8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0060.714] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0x19eaf4 | out: Value="C:\\Program Files (x86)") returned 0x0 [0060.714] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\lxqfwvdqlkd.exe", NtPathName=0x19eac0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\lxqfwvdqlkd.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0060.714] NtCreateFile (in: FileHandle=0x19eaec, DesiredAccess=0x120089, ObjectAttributes=0x19eaa8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\lxqfwvdqlkd.exe" (normalized: "c:\\program files (x86)\\lxqfwvdqlkd.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eac8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19eaec*=0x0, IoStatusBlock=0x19eac8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0060.714] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="CommonProgramFiles", Value=0x19eaf4 | out: Value="C:\\Program Files (x86)\\Common Files") returned 0x0 [0060.714] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Common Files\\lxqfwvdqlkd.exe", NtPathName=0x19eac0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Common Files\\lxqfwvdqlkd.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0060.714] NtCreateFile (in: FileHandle=0x19eaec, DesiredAccess=0x120089, ObjectAttributes=0x19eaa8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Common Files\\lxqfwvdqlkd.exe" (normalized: "c:\\program files (x86)\\common files\\lxqfwvdqlkd.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eac8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19eaec*=0x0, IoStatusBlock=0x19eac8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0060.714] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ALLUSERSPROFILE", Value=0x19eaf4 | out: Value="C:\\ProgramData") returned 0x0 [0060.714] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\ProgramData\\lxqfwvdqlkd.exe", NtPathName=0x19eac0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\ProgramData\\lxqfwvdqlkd.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0060.714] NtCreateFile (in: FileHandle=0x19eaec, DesiredAccess=0x120089, ObjectAttributes=0x19eaa8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\ProgramData\\lxqfwvdqlkd.exe" (normalized: "c:\\programdata\\lxqfwvdqlkd.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eac8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19eaec*=0x0, IoStatusBlock=0x19eac8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0060.714] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", NtPathName=0x19ed98, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0060.714] NtCreateFile (in: FileHandle=0x19edc4, DesiredAccess=0x120089, ObjectAttributes=0x19ed80*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eda0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19edc4*=0x84, IoStatusBlock=0x19eda0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0060.718] NtQueryInformationFile (in: FileHandle=0x84, IoStatusBlock=0x19eda0, FileInformation=0x19ecf8, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19eda0, FileInformation=0x19ecf8) returned 0x0 [0060.718] NtClose (Handle=0x84) returned 0x0 [0060.718] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19eb94 | out: TokenHandle=0x19eb94*=0x84) returned 0x0 [0060.721] NtQueryInformationToken (in: TokenHandle=0x84, TokenInformationClass=0x14, TokenInformation=0x19eb8c, TokenInformationLength=0x4, ReturnLength=0x19eb90 | out: TokenInformation=0x19eb8c, ReturnLength=0x19eb90) returned 0x0 [0060.721] NtClose (Handle=0x84) returned 0x0 [0062.938] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x19e70c | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0062.938] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x19dff0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0062.938] NtCreateFile (in: FileHandle=0x19e01c, DesiredAccess=0x120089, ObjectAttributes=0x19dfd8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19dff8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e01c*=0x84, IoStatusBlock=0x19dff8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0062.939] NtQueryInformationFile (in: FileHandle=0x84, IoStatusBlock=0x19dff8, FileInformation=0x19dd6c, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x19dff8, FileInformation=0x19dd6c) returned 0x0 [0062.939] NtClose (Handle=0x84) returned 0x0 [0062.940] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\cmd.exe", lpCommandLine="/c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /V", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19e6bc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19e700, hNewToken=0x0 | out: lpProcessInformation=0x19e700*(hProcess=0xd0, hThread=0x84, dwProcessId=0xa44, dwThreadId=0xa48), hNewToken=0x0) returned 1 [0063.002] NtWaitForSingleObject (Object=0xd0, Alertable=0, Time=0x0) returned 0x0 [0063.578] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", NtPathName=0x19eb5c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0063.578] NtCreateFile (in: FileHandle=0x19eb88, DesiredAccess=0x120089, ObjectAttributes=0x19eb44*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eb64, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19eb88*=0xd8, IoStatusBlock=0x19eb64*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0063.578] NtQueryInformationFile (in: FileHandle=0xd8, IoStatusBlock=0x19eb64, FileInformation=0x19ea94, Length=0x28, FileInformationClass=0x4 | out: IoStatusBlock=0x19eb64, FileInformation=0x19ea94) returned 0x0 [0063.578] NtClose (Handle=0xd8) returned 0x0 [0063.578] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19e770 | out: TokenHandle=0x19e770*=0xd8) returned 0x0 [0063.578] NtQueryInformationToken (in: TokenHandle=0xd8, TokenInformationClass=0x1, TokenInformation=0x19df68, TokenInformationLength=0x400, ReturnLength=0x19e768 | out: TokenInformation=0x19df68, ReturnLength=0x19e768) returned 0x0 [0063.579] ConvertSidToStringSidW () returned 0x1 [0063.579] NtClose (Handle=0xd8) returned 0x0 [0065.030] NtCreateKey (in: KeyHandle=0x19eba8, DesiredAccess=0x2021f, ObjectAttributes=0x19e76c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19eba8*=0x0) returned 0xc0000022 [0065.031] NtCreateKey (in: KeyHandle=0x19eba8, DesiredAccess=0x2021f, ObjectAttributes=0x19e76c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19eba8*=0xd8) returned 0x0 [0066.750] NtSetValueKey (in: KeyHandle=0xd8, ValueName="autochkDNAL2", TitleIndex=0x0, Type=0x1, Data="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", DataSize=0x74 | out: Data="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr") returned 0x0 [0066.751] NtClose (Handle=0xd8) returned 0x0 [0066.751] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtPathName=0x19eb78, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.751] NtCreateFile (in: FileHandle=0x19eba4, DesiredAccess=0x12019f, ObjectAttributes=0x19eb60*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eb80, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19eba4*=0xd8, IoStatusBlock=0x19eb80*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.751] NtQueryInformationFile (in: FileHandle=0xd8, IoStatusBlock=0x19eb80, FileInformation=0x19eab0, Length=0x28, FileInformationClass=0x4 | out: IoStatusBlock=0x19eb80, FileInformation=0x19eab0) returned 0x0 [0066.754] NtSetInformationFile (FileHandle=0xd8, IoStatusBlock=0x19eb80, FileInformation=0x19eab0, Length=0x28, FileInformationClass=0x4) returned 0x0 [0066.754] NtClose (Handle=0xd8) returned 0x0 [0066.754] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x19e038, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.755] NtCreateFile (in: FileHandle=0x19e064, DesiredAccess=0x120089, ObjectAttributes=0x19e020*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e040, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e064*=0xd8, IoStatusBlock=0x19e040*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.755] NtQueryInformationFile (in: FileHandle=0xd8, IoStatusBlock=0x19e040, FileInformation=0x19ddb4, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x19e040, FileInformation=0x19ddb4) returned 0x0 [0066.755] NtClose (Handle=0xd8) returned 0x0 [0066.755] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\cmd.exe", lpCommandLine="/c del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19e704*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19e748, hNewToken=0x0 | out: lpProcessInformation=0x19e748*(hProcess=0xd4, hThread=0xd8, dwProcessId=0xa58, dwThreadId=0xa5c), hNewToken=0x0) returned 1 [0066.759] NtWaitForSingleObject (Object=0xd4, Alertable=0, Time=0x0) returned 0x0 [0066.849] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtPathName=0x19eb60, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.849] NtCreateFile (in: FileHandle=0x19eb8c, DesiredAccess=0x120189, ObjectAttributes=0x19eb48*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19eb68, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19eb8c*=0xe0, IoStatusBlock=0x19eb68*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.857] SetErrorMode (uMode=0x8003) returned 0x1 [0066.859] NtCreateSection (in: SectionHandle=0x19e9e4, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19e760, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19e9e4*=0xdc) returned 0x0 [0066.861] NtMapViewOfSection (in: SectionHandle=0xdc, ProcessHandle=0xffffffff, BaseAddress=0x19e9e8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e760*=0x23a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19e9e8*=0x110000, SectionOffset=0x0, ViewSize=0x19e760*=0x24000) returned 0x0 [0066.864] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e758*=0x0, ZeroBits=0x0, RegionSize=0x19e75c*=0x23a00, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x19e758*=0x1a0000, RegionSize=0x19e75c*=0x24000) returned 0x0 [0066.866] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19d994 | out: TokenHandle=0x19d994*=0xe4) returned 0x0 [0066.866] NtQueryInformationToken (in: TokenHandle=0xe4, TokenInformationClass=0x1, TokenInformation=0x19d18c, TokenInformationLength=0x400, ReturnLength=0x19d98c | out: TokenInformation=0x19d18c, ReturnLength=0x19d98c) returned 0x0 [0066.866] ConvertSidToStringSidW () returned 0x1 [0066.866] NtClose (Handle=0xe4) returned 0x0 [0066.866] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19dc04*=0x0, ZeroBits=0x0, RegionSize=0x19dc08*=0x64afa, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x19dc04*=0x810000, RegionSize=0x19dc08*=0x65000) returned 0x0 [0066.866] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19dbf0*=0x0, ZeroBits=0x0, RegionSize=0x19dbf4*=0x64afa, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x19dbf0*=0x880000, RegionSize=0x19dbf4*=0x65000) returned 0x0 [0066.869] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="windir", Value=0x19e4c0 | out: Value="C:\\Windows") returned 0x0 [0066.869] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\System32\\drivers\\etc\\hosts", NtPathName=0x19e48c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.869] NtCreateFile (in: FileHandle=0x19e4b8, DesiredAccess=0x120089, ObjectAttributes=0x19e474*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts" (normalized: "c:\\windows\\system32\\drivers\\etc\\hosts"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e494, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e4b8*=0xe4, IoStatusBlock=0x19e494*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.869] NtQueryInformationFile (in: FileHandle=0xe4, IoStatusBlock=0x19e494, FileInformation=0x19e3ec, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19e494, FileInformation=0x19e3ec) returned 0x0 [0066.869] NtClose (Handle=0xe4) returned 0x0 [0066.869] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\System32\\drivers\\etc\\hosts", NtPathName=0x19e47c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.869] NtCreateFile (in: FileHandle=0x19e4a8, DesiredAccess=0x120089, ObjectAttributes=0x19e464*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts" (normalized: "c:\\windows\\system32\\drivers\\etc\\hosts"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e484, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e4a8*=0xe4, IoStatusBlock=0x19e484*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.870] NtQueryInformationFile (in: FileHandle=0xe4, IoStatusBlock=0x19e484, FileInformation=0x19e3dc, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19e484, FileInformation=0x19e3dc) returned 0x0 [0066.873] NtReadFile (in: FileHandle=0xe4, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x19e484, Buffer=0x2dc708, BufferLength=0x338, ByteOffset=0x19e3f4*=0, Key=0x0 | out: IoStatusBlock=0x19e484, Buffer=0x2dc708*) returned 0x0 [0066.873] NtClose (Handle=0xe4) returned 0x0 [0066.873] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e778*=0x0, ZeroBits=0x0, RegionSize=0x19e77c*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19e778*=0x140000, RegionSize=0x19e77c*=0x10000) returned 0x0 [0066.874] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x140000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x140000, ResultLength=0x0) returned 0x0 [0066.892] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19df3c | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0066.892] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x19e18c | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0066.892] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV", NtPathName=0x19e1a4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.892] NtCreateFile (in: FileHandle=0x19e1d0, DesiredAccess=0x100181, ObjectAttributes=0x19e18c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e1ac, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x21, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e1d0*=0xe4, IoStatusBlock=0x19e1ac*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0066.893] NtQueryInformationFile (in: FileHandle=0xe4, IoStatusBlock=0x19e1ac, FileInformation=0x19e14c, Length=0x28, FileInformationClass=0x4 | out: IoStatusBlock=0x19e1ac, FileInformation=0x19e14c) returned 0x0 [0066.893] NtSetInformationFile (FileHandle=0xe4, IoStatusBlock=0x19e1ac, FileInformation=0x19e14c, Length=0x28, FileInformationClass=0x4) returned 0x0 [0066.893] NtClose (Handle=0xe4) returned 0x0 [0066.893] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x19e16c | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0066.893] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-log.ini", NtPathName=0x19e1cc, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-log.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.893] NtCreateFile (in: FileHandle=0x19e1f8, DesiredAccess=0x12019f, ObjectAttributes=0x19e1b4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-log.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-log.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e1d4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e1f8*=0xe4, IoStatusBlock=0x19e1d4*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0066.893] NtClose (Handle=0xe4) returned 0x0 [0066.893] NtCreateSection (in: SectionHandle=0x19f7cc, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19e1cc, SectionPageProtection=0x4, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19f7cc*=0xe4) returned 0x0 [0066.893] NtMapViewOfSection (in: SectionHandle=0xe4, ProcessHandle=0xffffffff, BaseAddress=0x19f7c8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e1cc*=0x4e2000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x19f7c8*=0x22a0000, SectionOffset=0x0, ViewSize=0x19e1cc*=0x4e2000) returned 0x0 [0066.893] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19d9f0 | out: TokenHandle=0x19d9f0*=0xe8) returned 0x0 [0066.894] NtQueryInformationToken (in: TokenHandle=0xe8, TokenInformationClass=0x1, TokenInformation=0x19d1e8, TokenInformationLength=0x400, ReturnLength=0x19d9e8 | out: TokenInformation=0x19d1e8, ReturnLength=0x19d9e8) returned 0x0 [0066.894] ConvertSidToStringSidW () returned 0x1 [0066.894] NtClose (Handle=0xe8) returned 0x0 [0066.901] RtlIntegerToChar (in: Value=0xe51f6973, Base=0x10, Length=0x20, String=0x22a2055 | out: String="E51F6973") returned 0x0 [0066.901] NtCreateKey (in: KeyHandle=0x19e424, DesiredAccess=0x20219, ObjectAttributes=0x19d9f0*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e424*=0xe8) returned 0x0 [0066.904] NtQueryValueKey (in: KeyHandle=0xe8, ValueName="ProductName", KeyValueInformationClass=0x1, KeyValueInformation=0x19e03c, Length=0x100, ResultLength=0x19e3f4 | out: KeyValueInformation=0x19e03c*(TitleIndex=0x0, Type=0x1, DataOffset=0x30, DataLength=0x2e, NameLength=0x16, Name="ProductName", Data="Windows 7 Professional"), ResultLength=0x19e3f4) returned 0x0 [0066.904] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19da20*=0x0, ZeroBits=0x0, RegionSize=0x19da24*=0xfa200, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x19da20*=0x1e00000, RegionSize=0x19da24*=0xfb000) returned 0x0 [0066.904] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtPathName=0x19d9f8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.904] NtCreateFile (in: FileHandle=0x19da24, DesiredAccess=0x120089, ObjectAttributes=0x19d9e0*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19da00, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19da24*=0xec, IoStatusBlock=0x19da00*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.905] NtQueryInformationFile (in: FileHandle=0xec, IoStatusBlock=0x19da00, FileInformation=0x19d958, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19da00, FileInformation=0x19d958) returned 0x0 [0066.905] NtClose (Handle=0xec) returned 0x0 [0066.905] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtPathName=0x19d9e8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.905] NtCreateFile (in: FileHandle=0x19da14, DesiredAccess=0x120089, ObjectAttributes=0x19d9d0*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d9f0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19da14*=0xec, IoStatusBlock=0x19d9f0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.905] NtQueryInformationFile (in: FileHandle=0xec, IoStatusBlock=0x19d9f0, FileInformation=0x19d948, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d9f0, FileInformation=0x19d948) returned 0x0 [0066.905] NtReadFile (in: FileHandle=0xec, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x19d9f0, Buffer=0x23a1270, BufferLength=0x47000, ByteOffset=0x19d960*=0, Key=0x0 | out: IoStatusBlock=0x19d9f0, Buffer=0x23a1270*) returned 0x0 [0066.909] NtClose (Handle=0xec) returned 0x0 [0066.909] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19ddc4 | out: TokenHandle=0x19ddc4*=0xec) returned 0x0 [0066.909] NtQueryInformationToken (in: TokenHandle=0xec, TokenInformationClass=0x1, TokenInformation=0x19d5bc, TokenInformationLength=0x400, ReturnLength=0x19ddbc | out: TokenInformation=0x19d5bc, ReturnLength=0x19ddbc) returned 0x0 [0066.909] ConvertSidToStringSidW () returned 0x1 [0066.909] NtClose (Handle=0xec) returned 0x0 [0066.909] NtCreateKey (in: KeyHandle=0x19e418, DesiredAccess=0x20219, ObjectAttributes=0x19ddc0*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e418*=0xec) returned 0x0 [0066.909] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19dcb4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.909] NtCreateFile (in: FileHandle=0x19dce0, DesiredAccess=0x120089, ObjectAttributes=0x19dc9c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19dcbc, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19dce0*=0x0, IoStatusBlock=0x19dcbc*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0066.909] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19dccc, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.909] NtCreateFile (in: FileHandle=0x19dcf8, DesiredAccess=0x12019f, ObjectAttributes=0x19dcb4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19dcd4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19dcf8*=0xf0, IoStatusBlock=0x19dcd4*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0066.910] NtQueryInformationFile (in: FileHandle=0xf0, IoStatusBlock=0x19dcd4, FileInformation=0x19dc2c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19dcd4, FileInformation=0x19dc2c) returned 0x0 [0066.914] NtWriteFile (in: FileHandle=0xf0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19dcd4, Buffer=0x2e0710*, Length=0x28, ByteOffset=0x19dc44*=0, Key=0x0 | out: IoStatusBlock=0x19dcd4, Buffer=0x2e0710*) returned 0x0 [0066.914] NtClose (Handle=0xf0) returned 0x0 [0066.917] NtEnumerateKey (in: KeyHandle=0xec, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.917] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\05cb6f136411cf4daf1f74e966b0a7dc", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.917] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.917] NtClose (Handle=0xf0) returned 0x0 [0066.917] NtEnumerateKey (in: KeyHandle=0xec, Index=0x1, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.917] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.917] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.917] NtClose (Handle=0xf0) returned 0x0 [0066.917] NtEnumerateKey (in: KeyHandle=0xec, Index=0x2, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.917] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.917] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.918] NtClose (Handle=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xec, Index=0x3, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.918] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.918] NtClose (Handle=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xec, Index=0x4, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.918] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\4b62e5f8c092a64ea9b79fd559a5a15e", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.918] NtClose (Handle=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xec, Index=0x5, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.918] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\609a848a708f544697003a34105400ef", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.918] NtClose (Handle=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xec, Index=0x6, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.918] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\63cba20b08018a458b6edb5d87fb54da", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.918] NtClose (Handle=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xec, Index=0x7, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.918] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\828cd3a417cead4ab3a214070dce1c3d", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.918] NtClose (Handle=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xec, Index=0x8, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.918] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\8503020000000000c000000000000046", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.918] NtClose (Handle=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xec, Index=0x9, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.918] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\88d17fec23cbdd4fb54ad1d34c0dce09", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.918] NtClose (Handle=0xf0) returned 0x0 [0066.918] NtEnumerateKey (in: KeyHandle=0xec, Index=0xa, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.919] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.919] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0066.919] NtClose (Handle=0xf0) returned 0x0 [0066.919] NtEnumerateKey (in: KeyHandle=0xec, Index=0xb, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0066.919] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0066.919] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x0 [0066.919] NtCreateKey (in: KeyHandle=0x19ddd8, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19ddd8*=0xf4) returned 0x0 [0066.921] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.921] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.921] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.921] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.921] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0xc, ByteOffset=0x19d00c*=40, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.921] NtClose (Handle=0xf8) returned 0x0 [0066.921] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.922] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.922] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.922] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x52, ByteOffset=0x19d00c*=52, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.922] NtClose (Handle=0xf8) returned 0x0 [0066.922] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x1, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.922] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.922] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.922] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.922] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x12, ByteOffset=0x19d00c*=134, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.922] NtClose (Handle=0xf8) returned 0x0 [0066.929] RtlIntegerToChar (in: Value=0x377aef04, Base=0x0, Length=0x20, String=0x19d0f0 | out: String="930803460") returned 0x0 [0066.929] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.930] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.930] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.930] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x16, ByteOffset=0x19d00c*=152, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.930] NtClose (Handle=0xf8) returned 0x0 [0066.930] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x2, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.931] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.931] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.931] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.931] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x18, ByteOffset=0x19d00c*=174, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.931] NtClose (Handle=0xf8) returned 0x0 [0066.931] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.931] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.931] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.931] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x14, ByteOffset=0x19d00c*=198, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.932] NtClose (Handle=0xf8) returned 0x0 [0066.932] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x3, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.932] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.932] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.932] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.932] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1a, ByteOffset=0x19d00c*=218, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.937] NtClose (Handle=0xf8) returned 0x0 [0066.938] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.938] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.938] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.938] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x10, ByteOffset=0x19d00c*=244, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.938] NtClose (Handle=0xf8) returned 0x0 [0066.939] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x4, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.939] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.939] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.939] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.939] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1c, ByteOffset=0x19d00c*=260, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.939] NtClose (Handle=0xf8) returned 0x0 [0066.948] RtlIntegerToChar (in: Value=0x2, Base=0x0, Length=0x20, String=0x19d0f0 | out: String="2") returned 0x0 [0066.948] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.948] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.949] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.949] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x6, ByteOffset=0x19d00c*=288, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.949] NtClose (Handle=0xf8) returned 0x0 [0066.949] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x5, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.949] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.949] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.949] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.949] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1a, ByteOffset=0x19d00c*=294, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.950] NtClose (Handle=0xf8) returned 0x0 [0066.950] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.950] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.950] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.950] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x2c, ByteOffset=0x19d00c*=320, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.950] NtClose (Handle=0xf8) returned 0x0 [0066.951] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x6, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.951] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.951] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.951] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.951] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x20, ByteOffset=0x19d00c*=364, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.951] NtClose (Handle=0xf8) returned 0x0 [0066.952] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.952] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.952] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.952] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x14, ByteOffset=0x19d00c*=396, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.952] NtClose (Handle=0xf8) returned 0x0 [0066.952] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x7, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x8000001a [0066.952] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d12c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.952] NtCreateFile (in: FileHandle=0x19d158, DesiredAccess=0x12019f, ObjectAttributes=0x19d114*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d134, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d158*=0xf8, IoStatusBlock=0x19d134*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.952] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d134, FileInformation=0x19d08c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d134, FileInformation=0x19d08c) returned 0x0 [0066.952] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d134, Buffer=0x2e0710*, Length=0x4, ByteOffset=0x19d0a4*=416, Key=0x0 | out: IoStatusBlock=0x19d134, Buffer=0x2e0710*) returned 0x0 [0066.953] NtClose (Handle=0xf8) returned 0x0 [0066.953] NtClose (Handle=0xf4) returned 0x0 [0066.953] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x1, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x0 [0066.953] NtCreateKey (in: KeyHandle=0x19ddd8, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19ddd8*=0xf4) returned 0x0 [0066.953] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.953] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.953] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.953] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.953] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0xc, ByteOffset=0x19d00c*=420, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.953] NtClose (Handle=0xf8) returned 0x0 [0066.954] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.954] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.954] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.954] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x52, ByteOffset=0x19d00c*=432, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.954] NtClose (Handle=0xf8) returned 0x0 [0066.954] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x1, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.954] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.955] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.955] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.955] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x12, ByteOffset=0x19d00c*=514, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.955] NtClose (Handle=0xf8) returned 0x0 [0066.963] RtlIntegerToChar (in: Value=0x37dce1df, Base=0x0, Length=0x20, String=0x19d0f0 | out: String="937222623") returned 0x0 [0066.963] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.963] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.963] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.963] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x16, ByteOffset=0x19d00c*=532, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.964] NtClose (Handle=0xf8) returned 0x0 [0066.964] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x2, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.964] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.964] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.964] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.964] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x18, ByteOffset=0x19d00c*=554, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.964] NtClose (Handle=0xf8) returned 0x0 [0066.965] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.965] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.965] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.965] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x14, ByteOffset=0x19d00c*=578, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.965] NtClose (Handle=0xf8) returned 0x0 [0066.965] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x3, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.965] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.966] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.966] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.966] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1a, ByteOffset=0x19d00c*=598, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.966] NtClose (Handle=0xf8) returned 0x0 [0066.966] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.966] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.966] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.966] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x12, ByteOffset=0x19d00c*=624, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.966] NtClose (Handle=0xf8) returned 0x0 [0066.967] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x4, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.967] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.967] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.967] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.967] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1c, ByteOffset=0x19d00c*=642, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.967] NtClose (Handle=0xf8) returned 0x0 [0066.974] RtlIntegerToChar (in: Value=0x2, Base=0x0, Length=0x20, String=0x19d0f0 | out: String="2") returned 0x0 [0066.974] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.974] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.974] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.974] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x6, ByteOffset=0x19d00c*=670, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.974] NtClose (Handle=0xf8) returned 0x0 [0066.975] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x5, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.975] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.975] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.975] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.975] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1a, ByteOffset=0x19d00c*=676, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.975] NtClose (Handle=0xf8) returned 0x0 [0066.975] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.976] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.976] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.976] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x2e, ByteOffset=0x19d00c*=702, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.976] NtClose (Handle=0xf8) returned 0x0 [0066.976] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x6, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.976] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.976] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.976] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.976] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x20, ByteOffset=0x19d00c*=748, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.976] NtClose (Handle=0xf8) returned 0x0 [0066.977] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.977] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.977] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.977] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x14, ByteOffset=0x19d00c*=780, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.977] NtClose (Handle=0xf8) returned 0x0 [0066.978] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x7, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x8000001a [0066.978] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d12c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.978] NtCreateFile (in: FileHandle=0x19d158, DesiredAccess=0x12019f, ObjectAttributes=0x19d114*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d134, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d158*=0xf8, IoStatusBlock=0x19d134*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.978] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d134, FileInformation=0x19d08c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d134, FileInformation=0x19d08c) returned 0x0 [0066.978] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d134, Buffer=0x2e0710*, Length=0x4, ByteOffset=0x19d0a4*=800, Key=0x0 | out: IoStatusBlock=0x19d134, Buffer=0x2e0710*) returned 0x0 [0066.978] NtClose (Handle=0xf8) returned 0x0 [0066.978] NtClose (Handle=0xf4) returned 0x0 [0066.978] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x2, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x0 [0066.978] NtCreateKey (in: KeyHandle=0x19ddd8, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19ddd8*=0xf4) returned 0x0 [0066.978] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.978] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.979] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.979] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.979] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0xc, ByteOffset=0x19d00c*=804, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.979] NtClose (Handle=0xf8) returned 0x0 [0066.980] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.980] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.980] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.980] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x52, ByteOffset=0x19d00c*=816, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.980] NtClose (Handle=0xf8) returned 0x0 [0066.980] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x1, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.980] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.980] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.981] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.981] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x12, ByteOffset=0x19d00c*=898, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.981] NtClose (Handle=0xf8) returned 0x0 [0066.988] RtlIntegerToChar (in: Value=0xfce98a30, Base=0x0, Length=0x20, String=0x19d0f0 | out: String="4243163696") returned 0x0 [0066.988] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.988] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.988] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.988] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x18, ByteOffset=0x19d00c*=916, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.988] NtClose (Handle=0xf8) returned 0x0 [0066.989] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x2, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.989] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.989] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.989] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.989] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1a, ByteOffset=0x19d00c*=940, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.989] NtClose (Handle=0xf8) returned 0x0 [0066.990] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.990] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.990] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.990] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x2a, ByteOffset=0x19d00c*=966, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.990] NtClose (Handle=0xf8) returned 0x0 [0066.990] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x3, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.991] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.991] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.991] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.991] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1a, ByteOffset=0x19d00c*=1008, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.991] NtClose (Handle=0xf8) returned 0x0 [0066.991] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.991] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.991] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.991] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x14, ByteOffset=0x19d00c*=1034, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.991] NtClose (Handle=0xf8) returned 0x0 [0066.992] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x4, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.992] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.992] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.992] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.992] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0xc, ByteOffset=0x19d00c*=1054, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.992] NtClose (Handle=0xf8) returned 0x0 [0066.992] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.992] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.992] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.993] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x2a, ByteOffset=0x19d00c*=1066, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.993] NtClose (Handle=0xf8) returned 0x0 [0066.993] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x5, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.993] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.993] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.993] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.993] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x18, ByteOffset=0x19d00c*=1108, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.993] NtClose (Handle=0xf8) returned 0x0 [0066.994] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.994] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.994] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.994] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0xe, ByteOffset=0x19d00c*=1132, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.994] NtClose (Handle=0xf8) returned 0x0 [0066.994] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x6, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.994] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.994] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.994] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.994] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x18, ByteOffset=0x19d00c*=1146, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.995] NtClose (Handle=0xf8) returned 0x0 [0066.995] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.995] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.995] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.995] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x10, ByteOffset=0x19d00c*=1170, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.995] NtClose (Handle=0xf8) returned 0x0 [0066.995] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x7, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.995] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.995] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.996] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.996] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x14, ByteOffset=0x19d00c*=1186, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.996] NtClose (Handle=0xf8) returned 0x0 [0066.996] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.996] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.996] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.996] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x12, ByteOffset=0x19d00c*=1206, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.997] NtClose (Handle=0xf8) returned 0x0 [0066.997] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x8, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0066.997] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.997] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.997] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0066.997] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x2e, ByteOffset=0x19d00c*=1224, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0066.997] NtClose (Handle=0xf8) returned 0x0 [0067.004] RtlIntegerToChar (in: Value=0x0, Base=0x0, Length=0x20, String=0x19d0f0 | out: String="0") returned 0x0 [0067.004] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.004] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.004] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.004] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x6, ByteOffset=0x19d00c*=1270, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.005] NtClose (Handle=0xf8) returned 0x0 [0067.005] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x9, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.005] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.005] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.005] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.005] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x20, ByteOffset=0x19d00c*=1276, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.005] NtClose (Handle=0xf8) returned 0x0 [0067.013] RtlIntegerToChar (in: Value=0xe0003, Base=0x0, Length=0x20, String=0x19d0f0 | out: String="917507") returned 0x0 [0067.013] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.013] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.013] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.013] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x10, ByteOffset=0x19d00c*=1308, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.014] NtClose (Handle=0xf8) returned 0x0 [0067.014] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0xa, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.014] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.014] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.014] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.014] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x2e, ByteOffset=0x19d00c*=1324, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.014] NtClose (Handle=0xf8) returned 0x0 [0067.015] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.015] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.015] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.015] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0xd4, ByteOffset=0x19d00c*=1370, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.015] NtClose (Handle=0xf8) returned 0x0 [0067.016] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0xb, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.016] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.016] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.016] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.016] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x30, ByteOffset=0x19d00c*=1582, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.016] NtClose (Handle=0xf8) returned 0x0 [0067.016] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.016] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.016] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.016] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1c, ByteOffset=0x19d00c*=1630, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.016] NtClose (Handle=0xf8) returned 0x0 [0067.017] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0xc, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.017] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.017] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.017] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.017] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x20, ByteOffset=0x19d00c*=1658, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.017] NtClose (Handle=0xf8) returned 0x0 [0067.017] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.017] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.017] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.018] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x14, ByteOffset=0x19d00c*=1690, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.018] NtClose (Handle=0xf8) returned 0x0 [0067.018] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0xd, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x8000001a [0067.018] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d12c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.018] NtCreateFile (in: FileHandle=0x19d158, DesiredAccess=0x12019f, ObjectAttributes=0x19d114*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d134, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d158*=0xf8, IoStatusBlock=0x19d134*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.018] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d134, FileInformation=0x19d08c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d134, FileInformation=0x19d08c) returned 0x0 [0067.018] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d134, Buffer=0x2e0710*, Length=0x4, ByteOffset=0x19d0a4*=1710, Key=0x0 | out: IoStatusBlock=0x19d134, Buffer=0x2e0710*) returned 0x0 [0067.018] NtClose (Handle=0xf8) returned 0x0 [0067.018] NtClose (Handle=0xf4) returned 0x0 [0067.019] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x3, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x0 [0067.019] NtCreateKey (in: KeyHandle=0x19ddd8, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000004", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19ddd8*=0xf4) returned 0x0 [0067.019] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.019] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.019] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.019] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.019] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0xc, ByteOffset=0x19d00c*=1714, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.019] NtClose (Handle=0xf8) returned 0x0 [0067.019] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.019] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.019] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.019] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x52, ByteOffset=0x19d00c*=1726, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.020] NtClose (Handle=0xf8) returned 0x0 [0067.020] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x1, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.020] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.020] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.020] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.020] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x12, ByteOffset=0x19d00c*=1808, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.020] NtClose (Handle=0xf8) returned 0x0 [0067.028] RtlIntegerToChar (in: Value=0x4e1d96f3, Base=0x0, Length=0x20, String=0x19d0f0 | out: String="1310562035") returned 0x0 [0067.028] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.028] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.028] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.028] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x18, ByteOffset=0x19d00c*=1826, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.028] NtClose (Handle=0xf8) returned 0x0 [0067.029] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x2, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.029] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.029] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.029] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.029] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x18, ByteOffset=0x19d00c*=1850, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.029] NtClose (Handle=0xf8) returned 0x0 [0067.030] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.030] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.030] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.030] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x14, ByteOffset=0x19d00c*=1874, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.030] NtClose (Handle=0xf8) returned 0x0 [0067.031] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x3, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.031] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.031] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.031] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.031] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1a, ByteOffset=0x19d00c*=1894, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.031] NtClose (Handle=0xf8) returned 0x0 [0067.032] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.032] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.032] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.032] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x18, ByteOffset=0x19d00c*=1920, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.032] NtClose (Handle=0xf8) returned 0x0 [0067.033] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x4, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.033] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.033] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.033] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.033] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1c, ByteOffset=0x19d00c*=1944, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.033] NtClose (Handle=0xf8) returned 0x0 [0067.045] RtlIntegerToChar (in: Value=0x4, Base=0x0, Length=0x20, String=0x19d0f0 | out: String="4") returned 0x0 [0067.045] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.045] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.045] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.045] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x6, ByteOffset=0x19d00c*=1972, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.045] NtClose (Handle=0xf8) returned 0x0 [0067.046] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x5, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.046] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.046] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.046] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.046] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x1a, ByteOffset=0x19d00c*=1978, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.046] NtClose (Handle=0xf8) returned 0x0 [0067.047] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.047] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.047] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.047] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x2a, ByteOffset=0x19d00c*=2004, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.047] NtClose (Handle=0xf8) returned 0x0 [0067.048] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x6, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x0 [0067.048] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.048] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.048] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.048] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x20, ByteOffset=0x19d00c*=2046, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.048] NtClose (Handle=0xf8) returned 0x0 [0067.054] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d094, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.054] NtCreateFile (in: FileHandle=0x19d0c0, DesiredAccess=0x12019f, ObjectAttributes=0x19d07c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d09c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d0c0*=0xf8, IoStatusBlock=0x19d09c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.054] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d09c, FileInformation=0x19cff4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d09c, FileInformation=0x19cff4) returned 0x0 [0067.054] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d09c, Buffer=0x2e0710*, Length=0x14, ByteOffset=0x19d00c*=2078, Key=0x0 | out: IoStatusBlock=0x19d09c, Buffer=0x2e0710*) returned 0x0 [0067.054] NtClose (Handle=0xf8) returned 0x0 [0067.055] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x7, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x8000001a [0067.055] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d12c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.055] NtCreateFile (in: FileHandle=0x19d158, DesiredAccess=0x12019f, ObjectAttributes=0x19d114*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d134, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d158*=0xf8, IoStatusBlock=0x19d134*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.055] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d134, FileInformation=0x19d08c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d134, FileInformation=0x19d08c) returned 0x0 [0067.055] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d134, Buffer=0x2e0710*, Length=0x4, ByteOffset=0x19d0a4*=2098, Key=0x0 | out: IoStatusBlock=0x19d134, Buffer=0x2e0710*) returned 0x0 [0067.056] NtClose (Handle=0xf8) returned 0x0 [0067.056] NtClose (Handle=0xf4) returned 0x0 [0067.056] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x4, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0067.056] NtClose (Handle=0xf0) returned 0x0 [0067.056] NtEnumerateKey (in: KeyHandle=0xec, Index=0xc, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0067.057] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\a533ec91a4f74549ac2130b6908c8aac", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0067.057] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0067.057] NtClose (Handle=0xf0) returned 0x0 [0067.057] NtEnumerateKey (in: KeyHandle=0xec, Index=0xd, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0067.057] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\b70c659765f94740b657fee657d05ab4", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0067.057] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0067.057] NtClose (Handle=0xf0) returned 0x0 [0067.057] NtEnumerateKey (in: KeyHandle=0xec, Index=0xe, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0067.057] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\cce6b8ce16bac4458e5e40e3530d6f1d", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0067.057] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0067.057] NtClose (Handle=0xf0) returned 0x0 [0067.057] NtEnumerateKey (in: KeyHandle=0xec, Index=0xf, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0067.057] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\dd7f40a823cda64b92e9a96e9e46e406", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0067.057] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0067.057] NtClose (Handle=0xf0) returned 0x0 [0067.057] NtEnumerateKey (in: KeyHandle=0xec, Index=0x10, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0067.058] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\ddb0922fc50b8d42be5a821ede840761", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0067.058] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0067.058] NtClose (Handle=0xf0) returned 0x0 [0067.058] NtEnumerateKey (in: KeyHandle=0xec, Index=0x11, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0067.058] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0067.058] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0067.058] NtClose (Handle=0xf0) returned 0x0 [0067.058] NtEnumerateKey (in: KeyHandle=0xec, Index=0x12, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x0 [0067.058] NtCreateKey (in: KeyHandle=0x19dddc, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\{D9734F19-8CFB-411D-BC59-833E334FCB5E}", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19dddc*=0xf0) returned 0x0 [0067.058] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x0 [0067.058] NtCreateKey (in: KeyHandle=0x19ddd8, DesiredAccess=0x20219, ObjectAttributes=0x19d140*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\\Calendar Summary", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19ddd8*=0xf4) returned 0x0 [0067.058] NtEnumerateValueKey (in: KeyHandle=0xf4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x19d188, Length=0x400, ResultLength=0x19dde4 | out: KeyValueInformation=0x19d188, ResultLength=0x19dde4) returned 0x8000001a [0067.058] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x19d12c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.058] NtCreateFile (in: FileHandle=0x19d158, DesiredAccess=0x12019f, ObjectAttributes=0x19d114*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d134, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d158*=0xf8, IoStatusBlock=0x19d134*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.058] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x19d134, FileInformation=0x19d08c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d134, FileInformation=0x19d08c) returned 0x0 [0067.058] NtWriteFile (in: FileHandle=0xf8, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d134, Buffer=0x2e0710*, Length=0x4, ByteOffset=0x19d0a4*=2102, Key=0x0 | out: IoStatusBlock=0x19d134, Buffer=0x2e0710*) returned 0x0 [0067.059] NtClose (Handle=0xf8) returned 0x0 [0067.059] NtClose (Handle=0xf4) returned 0x0 [0067.059] NtEnumerateKey (in: KeyHandle=0xf0, Index=0x1, KeyInformationClass=0x0, KeyInformation=0x19d588, Length=0x400, ResultLength=0x19dde4 | out: KeyInformation=0x19d588, ResultLength=0x19dde4) returned 0x8000001a [0067.060] NtClose (Handle=0xf0) returned 0x0 [0067.060] NtEnumerateKey (in: KeyHandle=0xec, Index=0x13, KeyInformationClass=0x0, KeyInformation=0x19d988, Length=0x200, ResultLength=0x19ddd0 | out: KeyInformation=0x19d988, ResultLength=0x19ddd0) returned 0x8000001a [0067.060] NtCreateKey (in: KeyHandle=0x19e418, DesiredAccess=0x20219, ObjectAttributes=0x19ddb8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e418*=0x0) returned 0xc0000034 [0067.060] NtCreateKey (in: KeyHandle=0x19e418, DesiredAccess=0x20219, ObjectAttributes=0x19ddd4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e418*=0x0) returned 0xc0000034 [0067.060] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19d500 | out: TokenHandle=0x19d500*=0xf0) returned 0x0 [0067.060] NtQueryInformationToken (in: TokenHandle=0xf0, TokenInformationClass=0x1, TokenInformation=0x19ccf8, TokenInformationLength=0x400, ReturnLength=0x19d4f8 | out: TokenInformation=0x19ccf8, ReturnLength=0x19d4f8) returned 0x0 [0067.060] ConvertSidToStringSidW () returned 0x1 [0067.060] NtClose (Handle=0xf0) returned 0x0 [0067.060] NtCreateKey (in: KeyHandle=0x19e414, DesiredAccess=0x20219, ObjectAttributes=0x19d4fc*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e414*=0xf0) returned 0x0 [0067.060] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logri.ini", NtPathName=0x19d3fc, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logri.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.060] NtCreateFile (in: FileHandle=0x19d428, DesiredAccess=0x120089, ObjectAttributes=0x19d3e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logri.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logri.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d404, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d428*=0x0, IoStatusBlock=0x19d404*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0067.061] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logri.ini", NtPathName=0x19d414, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logri.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.061] NtCreateFile (in: FileHandle=0x19d440, DesiredAccess=0x12019f, ObjectAttributes=0x19d3fc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logri.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logri.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19d41c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19d440*=0xf4, IoStatusBlock=0x19d41c*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0067.061] NtQueryInformationFile (in: FileHandle=0xf4, IoStatusBlock=0x19d41c, FileInformation=0x19d374, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19d41c, FileInformation=0x19d374) returned 0x0 [0067.061] NtWriteFile (in: FileHandle=0xf4, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19d41c, Buffer=0x2e0710*, Length=0x28, ByteOffset=0x19d38c*=0, Key=0x0 | out: IoStatusBlock=0x19d41c, Buffer=0x2e0710*) returned 0x0 [0067.062] NtClose (Handle=0xf4) returned 0x0 [0067.074] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="crypt32.dll", BaseAddress=0x19d418 | out: BaseAddress=0x19d418*=0x768e0000) returned 0x0 [0067.120] CoInitialize (pvReserved=0x0) returned 0x0 [0067.128] CoCreateInstance (in: rclsid=0x19d50c*(Data1=0x3c374a40, Data2=0xbae4, Data3=0x11cf, Data4=([0]=0xbf, [1]=0x7d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x69, [6]=0x46, [7]=0xee)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x19d51c*(Data1=0xafa0dc11, Data2=0xc313, Data3=0x11d0, Data4=([0]=0x83, [1]=0x1a, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd5, [6]=0xae, [7]=0x38)), ppv=0x19d534 | out: ppv=0x19d534*=0x2f3440) returned 0x0 [0068.363] IUrlHistoryStg:EnumUrls (in: This=0x2f3440, ppenum=0x19d530 | out: ppenum=0x19d530*=0x2f3688) returned 0x0 [0068.413] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x19eff0 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0068.840] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.045] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.045] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.045] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.045] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.045] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.046] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.097] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.098] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.098] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.098] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.098] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.098] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.099] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.099] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.099] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1) returned 0x0 [0069.100] IEnumSTATURL:Next (in: This=0x2f3688, celt=0x1, rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x1 | out: rgelt=0x19d4e4, pceltFetched=0x19d52c*=0x0) returned 0x1 [0069.100] IUnknown:Release (This=0x2f3688) returned 0x0 [0069.127] IUnknown:Release (This=0x2f3440) returned 0x1 [0069.127] CoUninitialize () [0069.176] NtEnumerateValueKey (in: KeyHandle=0xf0, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x19d558, Length=0x800, ResultLength=0x19e410 | out: KeyValueInformation=0x19d558, ResultLength=0x19e410) returned 0x8000001a [0069.177] NtClose (Handle=0xf0) returned 0x0 [0069.182] NtCreateKey (in: KeyHandle=0x19e374, DesiredAccess=0x20219, ObjectAttributes=0x19e1ec*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Firefox\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e374*=0xf0) returned 0x0 [0069.182] NtQueryValueKey (in: KeyHandle=0xf0, ValueName="CurrentVersion", KeyValueInformationClass=0x1, KeyValueInformation=0x300068, Length=0x100, ResultLength=0x19e35c | out: KeyValueInformation=0x300068*(TitleIndex=0x0, Type=0x1, DataOffset=0x30, DataLength=0x1a, NameLength=0x1c, Name="CurrentVersion", Data="25.0 (en-US)"), ResultLength=0x19e35c) returned 0x0 [0069.182] NtClose (Handle=0xf0) returned 0x0 [0069.187] RtlCharToInteger (in: String="25.0 (en-US)", Base=0x0, Value=0x2ffc04 | out: Value=0x2ffc04) returned 0x0 [0069.187] NtCreateKey (in: KeyHandle=0x19e374, DesiredAccess=0x20219, ObjectAttributes=0x19e20c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e374*=0xf0) returned 0x0 [0069.187] NtQueryValueKey (in: KeyHandle=0xf0, ValueName="Install Directory", KeyValueInformationClass=0x1, KeyValueInformation=0x2ffc68, Length=0x200, ResultLength=0x19e35c | out: KeyValueInformation=0x2ffc68*(TitleIndex=0x0, Type=0x1, DataOffset=0x38, DataLength=0x4e, NameLength=0x22, Name="Install Directory", Data="C:\\Program Files (x86)\\Mozilla Firefox"), ResultLength=0x19e35c) returned 0x0 [0069.187] NtClose (Handle=0xf0) returned 0x0 [0069.187] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="PATH", Value=0x19dfb8 | out: Value="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x0 [0069.195] RtlSetEnvironmentVariable (in: Environment=0x0, Name="PATH", Value="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files (x86)\\Mozilla Firefox" | out: Environment=0x0) returned 0x0 [0069.195] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll", BaseAddress=0x19dfb0 | out: BaseAddress=0x19dfb0*=0x0) returned 0xc0000135 [0070.095] RtlSetEnvironmentVariable (in: Environment=0x0, Name="PATH", Value="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" | out: Environment=0x0) returned 0x0 [0070.095] NtCreateKey (in: KeyHandle=0x19e36c, DesiredAccess=0x20219, ObjectAttributes=0x19e1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Thunderbird\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e36c*=0x0) returned 0xc0000022 [0070.095] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0x19df1c | out: Value="C:\\Program Files (x86)") returned 0x0 [0070.095] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtPathName=0x19def4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0070.095] NtCreateFile (in: FileHandle=0x19df20, DesiredAccess=0x120089, ObjectAttributes=0x19dedc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19defc, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19df20*=0xf0, IoStatusBlock=0x19defc*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0070.096] NtQueryInformationFile (in: FileHandle=0xf0, IoStatusBlock=0x19defc, FileInformation=0x19de54, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19defc, FileInformation=0x19de54) returned 0x0 [0070.096] NtClose (Handle=0xf0) returned 0x0 [0070.096] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="LOCALAPPDATA", Value=0x19dfd4 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 0x0 [0070.096] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", NtPathName=0x19dfac, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0070.096] NtCreateFile (in: FileHandle=0x19dfd8, DesiredAccess=0x120089, ObjectAttributes=0x19df94*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19dfb4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19dfd8*=0xf0, IoStatusBlock=0x19dfb4*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0070.152] NtQueryInformationFile (in: FileHandle=0xf0, IoStatusBlock=0x19dfb4, FileInformation=0x19df0c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19dfb4, FileInformation=0x19df0c) returned 0x0 [0070.152] NtClose (Handle=0xf0) returned 0x0 [0070.152] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="winsqlite3.dll", BaseAddress=0x19df64 | out: BaseAddress=0x19df64*=0x0) returned 0xc0000135 [0070.154] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x19df24 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0070.154] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", NtPathName=0x19df0c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0070.154] NtCreateFile (in: FileHandle=0x19df38, DesiredAccess=0x120089, ObjectAttributes=0x19def4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\opera software\\opera stable\\login data"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19df14, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19df38*=0x0, IoStatusBlock=0x19df14*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0070.154] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="vaultcli.dll", BaseAddress=0x19e14c | out: BaseAddress=0x19e14c*=0x74fa0000) returned 0x0 [0070.275] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrv.ini", NtPathName=0x19e020, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrv.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0070.275] NtCreateFile (in: FileHandle=0x19e04c, DesiredAccess=0x120089, ObjectAttributes=0x19e008*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrv.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrv.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e028, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e04c*=0x0, IoStatusBlock=0x19e028*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0070.275] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrv.ini", NtPathName=0x19e038, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrv.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0070.275] NtCreateFile (in: FileHandle=0x19e064, DesiredAccess=0x12019f, ObjectAttributes=0x19e020*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrv.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrv.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e040, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e064*=0x120, IoStatusBlock=0x19e040*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0070.275] NtQueryInformationFile (in: FileHandle=0x120, IoStatusBlock=0x19e040, FileInformation=0x19df98, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19e040, FileInformation=0x19df98) returned 0x0 [0070.275] NtWriteFile (in: FileHandle=0x120, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x19e040, Buffer=0x2e0710*, Length=0x28, ByteOffset=0x19dfb0*=0, Key=0x0 | out: IoStatusBlock=0x19e040, Buffer=0x2e0710*) returned 0x0 [0070.276] NtClose (Handle=0x120) returned 0x0 [0070.276] VaultEnumerateVaults () returned 0x0 [0071.083] VaultOpenVault () returned 0x0 [0071.083] VaultEnumerateItems () returned 0x0 [0071.083] VaultFree () returned 0x0 [0071.083] VaultCloseVault () returned 0x0 [0071.083] VaultOpenVault () returned 0x0 [0071.084] VaultEnumerateItems () returned 0x0 [0071.085] VaultFree () returned 0x0 [0071.085] VaultCloseVault () returned 0x0 [0071.085] VaultFree () returned 0x1 [0071.085] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="gdiplus.dll", BaseAddress=0x19e014 | out: BaseAddress=0x19e014*=0x74bc0000) returned 0x0 [0071.345] GetDC (hWnd=0x0) returned 0xb01089a [0071.345] CreateCompatibleDC (hdc=0xb01089a) returned 0x9010887 [0071.345] GetSystemMetrics (nIndex=0) returned 1440 [0071.346] GetSystemMetrics (nIndex=1) returned 900 [0071.346] CreateCompatibleBitmap (hdc=0xb01089a, cx=1440, cy=900) returned 0x2b0508aa [0071.360] SelectObject (hdc=0x9010887, h=0x2b0508aa) returned 0x185000f [0071.360] BitBlt (hdc=0x9010887, x=0, y=0, cx=1440, cy=900, hdcSrc=0xb01089a, x1=0, y1=0, rop=0xcc0020) returned 1 [0071.362] GdiplusStartup (in: token=0x19e3cc, input=0x19e394, output=0x0 | out: token=0x19e3cc, output=0x0) returned 0x0 [0071.565] GdipCreateBitmapFromHBITMAP (hbm=0x2b0508aa, hpal=0x0, bitmap=0x19e3c8) returned 0x0 [0071.616] GdipGetImageEncodersSize (numEncoders=0x19e020, size=0x19e01c) returned 0x0 [0071.617] GdipGetImageEncoders (in: numEncoders=0x5, size=0x410, encoders=0x2c0bd0 | out: encoders=0x2c0bd0) returned 0x0 [0071.618] GdipSaveImageToFile (image=0x2922230, filename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logim.jpeg", clsidEncoder=0x19e384*(Data1=0x557cf401, Data2=0x1a04, Data3=0x11d3, Data4=([0]=0x9a, [1]=0x73, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x1e, [6]=0xf3, [7]=0x2e)), encoderParams=0x0) returned 0x0 [0071.921] GdiplusShutdown (token=0x18545) [0071.952] DeleteObject (ho=0x2b0508aa) returned 1 [0071.952] DeleteObject (ho=0x9010887) returned 1 [0071.952] ReleaseDC (hWnd=0x0, hDC=0xb01089a) returned 1 [0071.955] NtOpenProcess (in: ProcessHandle=0x19e788, DesiredAccess=0x438, ObjectAttributes=0x19e750*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x19e768*(UniqueProcess=0x564, UniqueThread=0x0) | out: ProcessHandle=0x19e788*=0x144) returned 0x0 [0071.955] NtQueryInformationProcess (in: ProcessHandle=0x144, ProcessInformationClass=0x1a, ProcessInformation=0x19e778, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x19e778, ReturnLength=0x0) returned 0x0 [0071.955] NtMapViewOfSection (in: SectionHandle=0xe4, ProcessHandle=0x144, BaseAddress=0x19e774*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e770*=0x4e2000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x19e774*=0x9b50000, SectionOffset=0x0, ViewSize=0x19e770*=0x4e2000) returned 0x0 [0071.956] NtClose (Handle=0x144) returned 0x0 [0071.958] NtDelayExecution (Alertable=0, Interval=0x19e3c8*=-50000000) returned 0x0 [0076.968] NtOpenProcess (in: ProcessHandle=0x19e398, DesiredAccess=0x438, ObjectAttributes=0x19d958*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x19d998*(UniqueProcess=0x564, UniqueThread=0x0) | out: ProcessHandle=0x19e398*=0x144) returned 0x0 [0076.971] NtQueryInformationProcess (in: ProcessHandle=0x144, ProcessInformationClass=0x0, ProcessInformation=0x19d9a8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x19d9a8, ReturnLength=0x0) returned 0x0 [0076.974] NtReadVirtualMemory (in: ProcessHandle=0x144, BaseAddress=0x7fffffdf000, Buffer=0x19de10, NumberOfBytesToRead=0x40, NumberOfBytesRead=0x0 | out: Buffer=0x19de10*, NumberOfBytesRead=0x0) returned 0x0 [0076.976] NtOpenThread (in: ThreadHandle=0x19d950, DesiredAccess=0x1a, ObjectAttributes=0x19d958, ClientId=0x19d988*(UniqueProcess=0x0, UniqueThread=0x568) | out: ThreadHandle=0x19d950*=0x148) returned 0x0 [0076.980] NtSuspendThread (in: ThreadHandle=0x148, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0076.985] NtGetContextThread (in: ThreadHandle=0x148, Context=0x19de90 | out: Context=0x19de90*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x1, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x8000, SegGs=0x0, SegFs=0x2bf0df0, SegEs=0x0, SegDs=0x18f168, Edi=0x0, Esi=0x100ec, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0xf, SegCs=0x0, EFlags=0x1de, Esp=0x0, SegSs=0x16f, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x1b, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x4, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x3a, [45]=0x93, [46]=0x17, [47]=0x77, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0076.990] NtCreateSection (in: SectionHandle=0x19d930, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19d8d0, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19d930*=0x150) returned 0x0 [0076.993] NtMapViewOfSection (in: SectionHandle=0x150, ProcessHandle=0x144, BaseAddress=0x19d938*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19d8d8*=0x71afa, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19d938*=0x2d10000, SectionOffset=0x0, ViewSize=0x19d8d8*=0x72000) returned 0x0 [0076.993] NtMapViewOfSection (in: SectionHandle=0x150, ProcessHandle=0xffffffffffffffff, BaseAddress=0x19d928*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19d8d8*=0x72000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19d928*=0x2850000, SectionOffset=0x0, ViewSize=0x19d8d8*=0x72000) returned 0x0 [0077.001] NtUnmapViewOfSection (ProcessHandle=0xffffffffffffffff, BaseAddress=0x2850000) returned 0x0 [0077.004] NtClose (Handle=0x150) returned 0x0 [0077.007] NtSetContextThread (ThreadHandle=0x148, Context=0x19de90*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x1, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x8000, SegGs=0x0, SegFs=0x2bf0df0, SegEs=0x0, SegDs=0x18f168, Edi=0x0, Esi=0x100ec, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0xf, SegCs=0x0, EFlags=0x1de, Esp=0x0, SegSs=0x16f, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x1b, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x4, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x89, [45]=0x6e, [46]=0xd2, [47]=0x2, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0077.007] NtQueueApcThread (ThreadHandle=0x148, ApcRoutine=0x2d26e96, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0077.010] NtResumeThread (in: ThreadHandle=0x148, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0077.010] NtClose (Handle=0x144) returned 0x0 [0077.010] NtClose (Handle=0x148) returned 0x0 [0077.014] PostThreadMessageW (idThread=0x564, Msg=0x111, wParam=0x0, lParam=0x0) returned 0 [0077.041] PostThreadMessageW (idThread=0x564, Msg=0x8003, wParam=0x19e3ef, lParam=0x0) returned 0 [0077.059] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19edb4*=0x140000, RegionSize=0x19edb8, FreeType=0x8000) returned 0x0 [0077.059] NtDelayExecution (Alertable=0, Interval=0x19e788*=-50000000) returned 0x0 [0082.067] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0x19e248 | out: Value="C:\\Program Files (x86)") returned 0x0 [0082.067] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtPathName=0x19e220, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.067] NtCreateFile (in: FileHandle=0x19e24c, DesiredAccess=0x120089, ObjectAttributes=0x19e208*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e228, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e24c*=0x148, IoStatusBlock=0x19e228*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.068] NtQueryInformationFile (in: FileHandle=0x148, IoStatusBlock=0x19e228, FileInformation=0x19e180, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19e228, FileInformation=0x19e180) returned 0x0 [0082.068] NtClose (Handle=0x148) returned 0x0 [0082.077] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtPathName=0x19e21c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.077] NtCreateFile (in: FileHandle=0x19e248, DesiredAccess=0x120089, ObjectAttributes=0x19e204*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e224, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e248*=0x148, IoStatusBlock=0x19e224*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.077] NtQueryInformationFile (in: FileHandle=0x148, IoStatusBlock=0x19e224, FileInformation=0x19e17c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19e224, FileInformation=0x19e17c) returned 0x0 [0082.079] NtReadFile (in: FileHandle=0x148, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x19e224, Buffer=0x307fc0, BufferLength=0x43470, ByteOffset=0x19e194*=0, Key=0x0 | out: IoStatusBlock=0x19e224, Buffer=0x307fc0*) returned 0x0 [0082.237] NtClose (Handle=0x148) returned 0x0 [0082.239] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0xc, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19e4e8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19e4c0, hNewToken=0x0 | out: lpProcessInformation=0x19e4c0*(hProcess=0x144, hThread=0x148, dwProcessId=0xb08, dwThreadId=0xb0c), hNewToken=0x0) returned 1 [0082.283] NtQueryInformationProcess (in: ProcessHandle=0x144, ProcessInformationClass=0x1a, ProcessInformation=0x19e54c, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x19e54c, ReturnLength=0x0) returned 0x0 [0082.283] NtQueryInformationProcess (in: ProcessHandle=0x144, ProcessInformationClass=0x0, ProcessInformation=0x19e218, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x19e218, ReturnLength=0x0) returned 0x0 [0082.286] NtReadVirtualMemory (in: ProcessHandle=0x144, BaseAddress=0xfffde000, Buffer=0x19e260, NumberOfBytesToRead=0x20, NumberOfBytesRead=0x0 | out: Buffer=0x19e260*, NumberOfBytesRead=0x0) returned 0x0 [0082.286] NtMapViewOfSection (in: SectionHandle=0xe4, ProcessHandle=0x144, BaseAddress=0x19e238*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e234*=0x4e2000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x19e238*=0x3c0000, SectionOffset=0x0, ViewSize=0x19e234*=0x4e2000) returned 0x0 [0082.286] NtCreateSection (in: SectionHandle=0x19e22c, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19e1ec, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19e22c*=0x114) returned 0x0 [0082.286] NtMapViewOfSection (in: SectionHandle=0x114, ProcessHandle=0xffffffff, BaseAddress=0x19e234*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e1ec*=0x8a840, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19e234*=0x2850000, SectionOffset=0x0, ViewSize=0x19e1ec*=0x8b000) returned 0x0 [0082.286] NtMapViewOfSection (in: SectionHandle=0x114, ProcessHandle=0x144, BaseAddress=0x19e230*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e228*=0x8a840, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19e230*=0x70000, SectionOffset=0x0, ViewSize=0x19e228*=0x8b000) returned 0x0 [0082.292] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x2850000) returned 0x0 [0082.293] NtClose (Handle=0x114) returned 0x0 [0082.293] NtReadVirtualMemory (in: ProcessHandle=0x144, BaseAddress=0x1270000, Buffer=0x34b838, NumberOfBytesToRead=0x44000, NumberOfBytesRead=0x0 | out: Buffer=0x34b838*, NumberOfBytesRead=0x0) returned 0x0 [0082.298] NtCreateSection (in: SectionHandle=0x19e2ac, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19e220, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19e2ac*=0x114) returned 0x0 [0082.298] NtMapViewOfSection (in: SectionHandle=0x114, ProcessHandle=0xffffffff, BaseAddress=0x19e2b0*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e220*=0x44000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19e2b0*=0x1f40000, SectionOffset=0x0, ViewSize=0x19e220*=0x44000) returned 0x0 [0082.302] NtUnmapViewOfSection (ProcessHandle=0x144, BaseAddress=0x1270000) returned 0x0 [0082.304] NtMapViewOfSection (in: SectionHandle=0x114, ProcessHandle=0x144, BaseAddress=0x19e2b4*=0x1270000, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e4e0*=0x44000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19e2b4*=0x1270000, SectionOffset=0x0, ViewSize=0x19e4e0*=0x44000) returned 0x0 [0082.304] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x1f40000) returned 0x0 [0082.309] NtResumeThread (in: ThreadHandle=0x148, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0082.309] NtCreateKey (in: KeyHandle=0x19e788, DesiredAccess=0x20219, ObjectAttributes=0x19e104*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e788*=0x150) returned 0x0 [0082.309] NtEnumerateValueKey (in: KeyHandle=0x150, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x19e358, Length=0x200, ResultLength=0x19e758 | out: KeyValueInformation=0x19e358, ResultLength=0x19e758) returned 0x0 [0082.309] NtClose (Handle=0x150) returned 0x0 [0082.309] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e778*=0x0, ZeroBits=0x0, RegionSize=0x19e77c*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19e778*=0x140000, RegionSize=0x19e77c*=0x10000) returned 0x0 [0082.309] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x140000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x140000, ResultLength=0x0) returned 0x0 [0082.363] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19edb4*=0x140000, RegionSize=0x19edb8, FreeType=0x8000) returned 0x0 [0082.364] NtDelayExecution (Alertable=0, Interval=0x19e788*=-50000000) returned 0x0 [0087.430] NtCreateKey (in: KeyHandle=0x19e788, DesiredAccess=0x20219, ObjectAttributes=0x19e104*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x19e788*=0x150) returned 0x0 [0087.431] NtEnumerateValueKey (in: KeyHandle=0x150, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x19e358, Length=0x200, ResultLength=0x19e758 | out: KeyValueInformation=0x19e358, ResultLength=0x19e758) returned 0x0 [0087.431] NtClose (Handle=0x150) returned 0x0 [0087.431] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e778*=0x0, ZeroBits=0x0, RegionSize=0x19e77c*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19e778*=0x140000, RegionSize=0x19e77c*=0x10000) returned 0x0 [0087.432] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x140000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x140000, ResultLength=0x0) returned 0x0 [0087.489] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19edb4*=0x140000, RegionSize=0x19edb8, FreeType=0x8000) returned 0x0 [0087.490] NtDelayExecution (Alertable=0, Interval=0x19e788*=-50000000) Thread: id = 40 os_tid = 0xa40 Thread: id = 43 os_tid = 0xa78 Thread: id = 45 os_tid = 0xb00 Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x622c3000" os_pid = "0xa44" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xa38" cmd_line = "/c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /V" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 761 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 762 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 763 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 764 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 765 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 766 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 767 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 768 start_va = 0x4a220000 end_va = 0x4a26bfff entry_point = 0x4a220000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 769 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 770 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 771 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 772 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 773 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 774 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 775 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 776 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 777 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 778 start_va = 0x250000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 779 start_va = 0x73a70000 end_va = 0x73acbfff entry_point = 0x73aaf798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 780 start_va = 0x73ad0000 end_va = 0x73b0efff entry_point = 0x73afde78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 781 start_va = 0x73b40000 end_va = 0x73b47fff entry_point = 0x73b420f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 782 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x0 region_type = private name = "private_0x0000000077160000" filename = "" Region: id = 783 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x0 region_type = private name = "private_0x0000000077260000" filename = "" Region: id = 784 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 785 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 786 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 787 start_va = 0x430000 end_va = 0x496fff entry_point = 0x430000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 788 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 789 start_va = 0x74fa0000 end_va = 0x74fa6fff entry_point = 0x74fa0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 790 start_va = 0x750b0000 end_va = 0x750bbfff entry_point = 0x750b10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 791 start_va = 0x750c0000 end_va = 0x7511ffff entry_point = 0x750da3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 792 start_va = 0x75120000 end_va = 0x7521ffff entry_point = 0x7513b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 793 start_va = 0x75240000 end_va = 0x75258fff entry_point = 0x75244975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 794 start_va = 0x75260000 end_va = 0x7530bfff entry_point = 0x7526a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 795 start_va = 0x75320000 end_va = 0x75365fff entry_point = 0x75327478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 796 start_va = 0x753c0000 end_va = 0x754affff entry_point = 0x753d0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 797 start_va = 0x754e0000 end_va = 0x7556ffff entry_point = 0x754f6343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 798 start_va = 0x765b0000 end_va = 0x766bffff entry_point = 0x765c32d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 799 start_va = 0x76750000 end_va = 0x76759fff entry_point = 0x767536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 800 start_va = 0x76760000 end_va = 0x767fffff entry_point = 0x767749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 801 start_va = 0x76b30000 end_va = 0x76bccfff entry_point = 0x76b63fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 802 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 803 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 804 start_va = 0x560000 end_va = 0x6e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 805 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a0168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 806 start_va = 0x76ad0000 end_va = 0x76b2ffff entry_point = 0x76ae158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 807 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 808 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 809 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 810 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 811 start_va = 0x6f0000 end_va = 0x870fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 812 start_va = 0x880000 end_va = 0x1c7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 813 start_va = 0x1c80000 end_va = 0x1fc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c80000" filename = "" Region: id = 814 start_va = 0xa0000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 815 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Thread: id = 41 os_tid = 0xa48 [0063.339] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afba4 | out: lpSystemTimeAsFileTime=0x1afba4*(dwLowDateTime=0xaea85900, dwHighDateTime=0x1d3322a)) [0063.339] GetCurrentProcessId () returned 0xa44 [0063.339] GetCurrentThreadId () returned 0xa48 [0063.339] GetTickCount () returned 0x167f5 [0063.339] QueryPerformanceCounter (in: lpPerformanceCount=0x1afb9c | out: lpPerformanceCount=0x1afb9c*=372757084) returned 1 [0063.341] GetModuleHandleA (lpModuleName=0x0) returned 0x4a220000 [0063.341] __set_app_type (_Type=0x1) [0063.341] __p__fmode () returned 0x753031f4 [0063.350] __p__commode () returned 0x753031fc [0063.350] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a2421a6) returned 0x0 [0063.350] __getmainargs (in: _Argc=0x4a244238, _Argv=0x4a244240, _Env=0x4a24423c, _DoWildCard=0, _StartInfo=0x4a244140 | out: _Argc=0x4a244238, _Argv=0x4a244240, _Env=0x4a24423c) returned 0 [0063.350] GetCurrentThreadId () returned 0xa48 [0063.350] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa48) returned 0x60 [0063.351] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x765b0000 [0063.351] GetProcAddress (hModule=0x765b0000, lpProcName="SetThreadUILanguage") returned 0x765da84f [0063.351] SetThreadUILanguage (LangId=0x0) returned 0x409 [0063.351] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0063.351] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afb34 | out: phkResult=0x1afb34*=0x0) returned 0x2 [0063.351] VirtualQuery (in: lpAddress=0x1afb6b, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0063.351] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0063.351] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0063.351] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0063.351] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afb04, dwLength=0x1c | out: lpBuffer=0x1afb04*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x39000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0063.351] GetConsoleOutputCP () returned 0x1b5 [0063.351] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a244260 | out: lpCPInfo=0x4a244260) returned 1 [0063.352] SetConsoleCtrlHandler (HandlerRoutine=0x4a23e72a, Add=1) returned 1 [0063.352] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.352] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0063.352] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.352] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2441ac | out: lpMode=0x4a2441ac) returned 1 [0063.352] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.352] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0063.352] _get_osfhandle (_FileHandle=0) returned 0x3 [0063.352] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2441b0 | out: lpMode=0x4a2441b0) returned 1 [0063.385] _get_osfhandle (_FileHandle=0) returned 0x3 [0063.385] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0063.385] GetEnvironmentStringsW () returned 0x342190* [0063.385] FreeEnvironmentStringsW (penv=0x342190) returned 1 [0063.385] GetEnvironmentStringsW () returned 0x342190* [0063.385] FreeEnvironmentStringsW (penv=0x342190) returned 1 [0063.385] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeaa4 | out: phkResult=0x1aeaa4*=0x68) returned 0x0 [0063.385] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x0, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0063.385] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x1, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0063.385] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x1, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x0, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x40, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x40, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x40, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0063.386] RegCloseKey (hKey=0x68) returned 0x0 [0063.386] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aeaa4 | out: phkResult=0x1aeaa4*=0x68) returned 0x0 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x40, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x1, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x1, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x0, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x9, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x4, lpData=0x1aeab0*=0x9, lpcbData=0x1aeaa8*=0x4) returned 0x0 [0063.386] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aeaac, lpData=0x1aeab0, lpcbData=0x1aeaa8*=0x1000 | out: lpType=0x1aeaac*=0x0, lpData=0x1aeab0*=0x9, lpcbData=0x1aeaa8*=0x1000) returned 0x2 [0063.386] RegCloseKey (hKey=0x68) returned 0x0 [0063.386] time (in: timer=0x0 | out: timer=0x0) returned 0x59c29276 [0063.386] srand (_Seed=0x59c29276) [0063.386] GetCommandLineW () returned="/c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /V" [0063.386] GetCommandLineW () returned="/c copy \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /V" [0063.390] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a245260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0063.390] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x342198, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0063.398] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0063.398] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0063.398] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0063.398] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0063.398] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0063.398] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0063.398] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0063.398] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0063.398] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0063.398] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0063.398] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0063.398] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0063.398] GetEnvironmentStringsW () returned 0x3423a8* [0063.398] FreeEnvironmentStringsW (penv=0x3423a8) returned 1 [0063.398] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0063.399] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a250640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0063.399] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0063.399] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0063.399] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0063.399] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0063.399] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0063.399] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0063.399] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0063.399] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0063.399] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af870 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0063.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x1af870, lpFilePart=0x1af86c | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1af86c*="system32") returned 0x13 [0063.399] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0063.399] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x1af5ec | out: lpFindFileData=0x1af5ec) returned 0x345910 [0063.399] FindClose (in: hFindFile=0x345910 | out: hFindFile=0x345910) returned 1 [0063.399] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x1af5ec | out: lpFindFileData=0x1af5ec) returned 0x330ff0 [0063.399] FindClose (in: hFindFile=0x330ff0 | out: hFindFile=0x330ff0) returned 1 [0063.399] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0063.399] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0063.399] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0063.399] GetEnvironmentStringsW () returned 0x3442c0* [0063.399] FreeEnvironmentStringsW (penv=0x3442c0) returned 1 [0063.399] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a245260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0063.400] GetConsoleOutputCP () returned 0x1b5 [0063.400] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a244260 | out: lpCPInfo=0x4a244260) returned 1 [0063.400] GetUserDefaultLCID () returned 0x409 [0063.400] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a244950, cchData=8 | out: lpLCData=":") returned 2 [0063.400] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af9b0, cchData=128 | out: lpLCData="0") returned 2 [0063.400] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af9b0, cchData=128 | out: lpLCData="0") returned 2 [0063.400] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af9b0, cchData=128 | out: lpLCData="1") returned 2 [0063.400] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a244940, cchData=8 | out: lpLCData="/") returned 2 [0063.400] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a244d80, cchData=32 | out: lpLCData="Mon") returned 4 [0063.400] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a244d40, cchData=32 | out: lpLCData="Tue") returned 4 [0063.401] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a244d00, cchData=32 | out: lpLCData="Wed") returned 4 [0063.401] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a244cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0063.401] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a244c80, cchData=32 | out: lpLCData="Fri") returned 4 [0063.401] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a244c40, cchData=32 | out: lpLCData="Sat") returned 4 [0063.401] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a244c00, cchData=32 | out: lpLCData="Sun") returned 4 [0063.401] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a244930, cchData=8 | out: lpLCData=".") returned 2 [0063.401] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a244920, cchData=8 | out: lpLCData=",") returned 2 [0063.401] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0063.401] GetConsoleTitleW (in: lpConsoleTitle=0x342f00, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0063.402] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x765b0000 [0063.402] GetProcAddress (hModule=0x765b0000, lpProcName="CopyFileExW") returned 0x765e3b92 [0063.402] GetProcAddress (hModule=0x765b0000, lpProcName="IsDebuggerPresent") returned 0x765c4a5d [0063.402] GetProcAddress (hModule=0x765b0000, lpProcName="SetConsoleInputExeNameW") returned 0x765da79d [0063.403] _wcsicmp (_String1="copy", _String2=")") returned 58 [0063.403] _wcsicmp (_String1="FOR", _String2="copy") returned 3 [0063.403] _wcsicmp (_String1="FOR/?", _String2="copy") returned 3 [0063.403] _wcsicmp (_String1="IF", _String2="copy") returned 6 [0063.403] _wcsicmp (_String1="IF/?", _String2="copy") returned 6 [0063.403] _wcsicmp (_String1="REM", _String2="copy") returned 15 [0063.403] _wcsicmp (_String1="REM/?", _String2="copy") returned 15 [0063.405] GetConsoleTitleW (in: lpConsoleTitle=0x1af6a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0063.405] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0063.405] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0063.405] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0063.405] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0063.405] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0063.443] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.443] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a245260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.443] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0063.444] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0063.445] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0063.445] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0063.445] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0063.445] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0063.445] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0063.445] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0063.445] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0063.445] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0063.445] _wcsicmp (_String1="lxqfwvdqlkd.exe", _String2=".") returned 62 [0063.445] _wcsicmp (_String1="lxqfwvdqlkd.exe", _String2="..") returned 62 [0063.445] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe")) returned 0x20 [0063.445] _wcsicmp (_String1="igfxonux.scr", _String2=".") returned 59 [0063.445] _wcsicmp (_String1="igfxonux.scr", _String2="..") returned 59 [0063.445] _wcsnicmp (_String1="/V", _String2="/Y", _MaxCount=0x2) returned -3 [0063.447] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x1af658, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x1af658, ReturnLength=0x0) returned 0x0 [0063.448] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x1af660, ProcessInformationLength=0x4) returned 0x0 [0063.448] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0xa0000 [0063.448] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0x1f0000 [0063.449] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", fInfoLevelId=0x1, lpFindFileData=0x343478, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x343478) returned 0x343708 [0063.449] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", nBufferLength=0x104, lpBuffer=0x1ae978, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", lpFilePart=0x0) returned 0x3a [0063.449] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", _String2="con") returned -53 [0063.449] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1aeb64, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x78 [0063.449] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0063.449] _get_osfhandle (_FileHandle=3) returned 0x78 [0063.449] GetFileType (hFile=0x78) returned 0x1 [0063.449] SetErrorMode (uMode=0x0) returned 0x1 [0063.449] SetErrorMode (uMode=0x1) returned 0x0 [0063.449] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", nBufferLength=0x208, lpBuffer=0x1aee18, lpFilePart=0x1aeb9c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", lpFilePart=0x1aeb9c*="lxqfwvdqlkd.exe") returned 0x35 [0063.449] SetErrorMode (uMode=0x1) returned 0x1 [0063.449] _get_osfhandle (_FileHandle=3) returned 0x78 [0063.449] ReadFile (in: hFile=0x78, lpBuffer=0xa0000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1aec08, lpOverlapped=0x0 | out: lpBuffer=0xa0000*, lpNumberOfBytesRead=0x1aec08*=0x200, lpOverlapped=0x0) returned 1 [0063.450] SetErrorMode (uMode=0x0) returned 0x1 [0063.450] SetErrorMode (uMode=0x1) returned 0x0 [0063.450] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", nBufferLength=0x208, lpBuffer=0x1ae778, lpFilePart=0x1ae770 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", lpFilePart=0x1ae770*="igfxonux.scr") returned 0x3a [0063.450] SetErrorMode (uMode=0x1) returned 0x1 [0063.450] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", _String2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr") returned 3 [0063.450] _wcsicmp (_String1="igfxonux.scr", _String2=".") returned 59 [0063.450] _wcsicmp (_String1="igfxonux.scr", _String2="..") returned 59 [0063.450] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr")) returned 0xffffffff [0063.450] GetLastError () returned 0x2 [0063.450] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", nBufferLength=0x104, lpBuffer=0x1ae978, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", lpFilePart=0x0) returned 0x3a [0063.450] SetErrorMode (uMode=0x0) returned 0x1 [0063.450] SetErrorMode (uMode=0x1) returned 0x0 [0063.450] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", nBufferLength=0x208, lpBuffer=0x1ae778, lpFilePart=0x1ae770 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", lpFilePart=0x1ae770*="igfxonux.scr") returned 0x3a [0063.450] SetErrorMode (uMode=0x1) returned 0x1 [0063.450] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", _String2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr") returned 3 [0063.450] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr")) returned 0xffffffff [0063.450] CopyFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x4a2441b4, dwCopyFlags=0x0) returned 1 [0063.459] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr")) returned 0x2020 [0063.460] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", dwFileAttributes=0x2020) returned 1 [0063.460] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", _String2="con") returned -53 [0063.460] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1aeb60, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x80 [0063.460] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 4 [0063.460] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.460] GetFileType (hFile=0x80) returned 0x1 [0063.460] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.460] FlushFileBuffers (hFile=0x80) returned 1 [0063.476] _close (_FileHandle=4) returned 0 [0063.476] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", _String2="con") returned -53 [0063.476] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1aeb64, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x80 [0063.476] _open_osfhandle (_OSFileHandle=0x80, _Flags=8) returned 4 [0063.476] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.477] GetFileType (hFile=0x80) returned 0x1 [0063.477] _get_osfhandle (_FileHandle=3) returned 0x78 [0063.477] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.477] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.477] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0063.477] _get_osfhandle (_FileHandle=3) returned 0x78 [0063.477] GetFileSize (in: hFile=0x78, lpFileSizeHigh=0x1aebb4 | out: lpFileSizeHigh=0x1aebb4*=0x0) returned 0x47000 [0063.477] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.477] GetFileSize (in: hFile=0x80, lpFileSizeHigh=0x1aebb8 | out: lpFileSizeHigh=0x1aebb8*=0x0) returned 0x47000 [0063.477] _get_osfhandle (_FileHandle=3) returned 0x78 [0063.477] ReadFile (in: hFile=0x78, lpBuffer=0xa0000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1aec08, lpOverlapped=0x0 | out: lpBuffer=0xa0000*, lpNumberOfBytesRead=0x1aec08*=0xfe00, lpOverlapped=0x0) returned 1 [0063.477] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.477] ReadFile (in: hFile=0x80, lpBuffer=0x1f0000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1aebbc, lpOverlapped=0x0 | out: lpBuffer=0x1f0000*, lpNumberOfBytesRead=0x1aebbc*=0xfe00, lpOverlapped=0x0) returned 1 [0063.478] _get_osfhandle (_FileHandle=3) returned 0x78 [0063.478] ReadFile (in: hFile=0x78, lpBuffer=0xa0000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1aec08, lpOverlapped=0x0 | out: lpBuffer=0xa0000*, lpNumberOfBytesRead=0x1aec08*=0xfe00, lpOverlapped=0x0) returned 1 [0063.478] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.478] ReadFile (in: hFile=0x80, lpBuffer=0x1f0000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1aebbc, lpOverlapped=0x0 | out: lpBuffer=0x1f0000*, lpNumberOfBytesRead=0x1aebbc*=0xfe00, lpOverlapped=0x0) returned 1 [0063.478] _get_osfhandle (_FileHandle=3) returned 0x78 [0063.478] ReadFile (in: hFile=0x78, lpBuffer=0xa0000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1aec08, lpOverlapped=0x0 | out: lpBuffer=0xa0000*, lpNumberOfBytesRead=0x1aec08*=0xfe00, lpOverlapped=0x0) returned 1 [0063.478] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.478] ReadFile (in: hFile=0x80, lpBuffer=0x1f0000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1aebbc, lpOverlapped=0x0 | out: lpBuffer=0x1f0000*, lpNumberOfBytesRead=0x1aebbc*=0xfe00, lpOverlapped=0x0) returned 1 [0063.478] _get_osfhandle (_FileHandle=3) returned 0x78 [0063.478] ReadFile (in: hFile=0x78, lpBuffer=0xa0000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1aec08, lpOverlapped=0x0 | out: lpBuffer=0xa0000*, lpNumberOfBytesRead=0x1aec08*=0xfe00, lpOverlapped=0x0) returned 1 [0063.478] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.478] ReadFile (in: hFile=0x80, lpBuffer=0x1f0000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1aebbc, lpOverlapped=0x0 | out: lpBuffer=0x1f0000*, lpNumberOfBytesRead=0x1aebbc*=0xfe00, lpOverlapped=0x0) returned 1 [0063.478] _get_osfhandle (_FileHandle=3) returned 0x78 [0063.478] ReadFile (in: hFile=0x78, lpBuffer=0xa0000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1aec08, lpOverlapped=0x0 | out: lpBuffer=0xa0000*, lpNumberOfBytesRead=0x1aec08*=0x7800, lpOverlapped=0x0) returned 1 [0063.479] _get_osfhandle (_FileHandle=4) returned 0x80 [0063.479] ReadFile (in: hFile=0x80, lpBuffer=0x1f0000, nNumberOfBytesToRead=0x7800, lpNumberOfBytesRead=0x1aebbc, lpOverlapped=0x0 | out: lpBuffer=0x1f0000*, lpNumberOfBytesRead=0x1aebbc*=0x7800, lpOverlapped=0x0) returned 1 [0063.479] _close (_FileHandle=4) returned 0 [0063.479] _close (_FileHandle=3) returned 0 [0063.479] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0063.568] GetFileType (hFile=0xffffffff) returned 0x0 [0063.568] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0063.568] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x1aebac) returned 0 [0063.568] FindNextFileW (in: hFindFile=0x343708, lpFindFileData=0x343478 | out: lpFindFileData=0x343478) returned 0 [0063.568] GetLastError () returned 0x12 [0063.568] FindClose (in: hFindFile=0x343708 | out: hFindFile=0x343708) returned 1 [0063.568] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x1af658, ProcessInformationLength=0x4) returned 0x0 [0063.568] _vsnwprintf (in: _Buffer=0x4a245040, _BufferCount=0x103, _Format="%9d", _ArgList=0x1af634 | out: _Buffer=" 1") returned 9 [0063.568] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.568] GetFileType (hFile=0x7) returned 0x2 [0063.568] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0063.568] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1af5c0 | out: lpMode=0x1af5c0) returned 1 [0063.568] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.568] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1af5f4 | out: lpConsoleScreenBufferInfo=0x1af5f4) returned 1 [0063.569] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a254640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0063.569] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a254640, nSize=0x2000, Arguments=0x1af634 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0063.569] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a254640*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0x1af618, lpReserved=0x0 | out: lpBuffer=0x4a254640*, lpNumberOfCharsWritten=0x1af618*=0x1b) returned 1 [0063.570] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.570] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0063.570] _get_osfhandle (_FileHandle=1) returned 0x7 [0063.570] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2441ac | out: lpMode=0x4a2441ac) returned 1 [0063.570] _get_osfhandle (_FileHandle=0) returned 0x3 [0063.570] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2441b0 | out: lpMode=0x4a2441b0) returned 1 [0063.570] SetConsoleInputExeNameW () returned 0x1 [0063.570] GetConsoleOutputCP () returned 0x1b5 [0063.570] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a244260 | out: lpCPInfo=0x4a244260) returned 1 [0063.570] SetThreadUILanguage (LangId=0x0) returned 0x409 [0063.570] exit (_Code=0) Process: id = "7" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x61a48000" os_pid = "0xa58" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xa38" cmd_line = "/c del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 816 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 817 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 818 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 819 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 820 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 821 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 822 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 823 start_va = 0x4a260000 end_va = 0x4a2abfff entry_point = 0x4a26829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 824 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 825 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 826 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 827 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 828 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 829 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 830 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 831 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 832 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 833 start_va = 0xc0000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 834 start_va = 0x73a70000 end_va = 0x73acbfff entry_point = 0x73aaf798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 835 start_va = 0x73ad0000 end_va = 0x73b0efff entry_point = 0x73afde78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 836 start_va = 0x73b40000 end_va = 0x73b47fff entry_point = 0x73b420f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 837 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 838 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 839 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 840 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 841 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 842 start_va = 0x74f90000 end_va = 0x74f96fff entry_point = 0x74f91230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 843 start_va = 0x750b0000 end_va = 0x750bbfff entry_point = 0x750b10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 844 start_va = 0x750c0000 end_va = 0x7511ffff entry_point = 0x750da3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 845 start_va = 0x75120000 end_va = 0x7521ffff entry_point = 0x7513b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 846 start_va = 0x75240000 end_va = 0x75258fff entry_point = 0x75244975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 847 start_va = 0x75260000 end_va = 0x7530bfff entry_point = 0x7526a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 848 start_va = 0x75320000 end_va = 0x75365fff entry_point = 0x75327478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 849 start_va = 0x753c0000 end_va = 0x754affff entry_point = 0x753d0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 850 start_va = 0x754e0000 end_va = 0x7556ffff entry_point = 0x754f6343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 851 start_va = 0x765b0000 end_va = 0x766bffff entry_point = 0x765c32d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 852 start_va = 0x76750000 end_va = 0x76759fff entry_point = 0x767536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 853 start_va = 0x76760000 end_va = 0x767fffff entry_point = 0x767749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 854 start_va = 0x76b30000 end_va = 0x76bccfff entry_point = 0x76b63fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 855 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x0 region_type = private name = "private_0x0000000077160000" filename = "" Region: id = 856 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x0 region_type = private name = "private_0x0000000077260000" filename = "" Region: id = 857 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 858 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 859 start_va = 0x500000 end_va = 0x687fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 860 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a0168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 861 start_va = 0x76ad0000 end_va = 0x76b2ffff entry_point = 0x76ae158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 862 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 863 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 864 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 865 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 866 start_va = 0x690000 end_va = 0x810fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 867 start_va = 0x820000 end_va = 0x1c1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 868 start_va = 0x1c20000 end_va = 0x1f62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c20000" filename = "" Thread: id = 42 os_tid = 0xa5c [0066.827] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ff944 | out: lpSystemTimeAsFileTime=0x2ff944*(dwLowDateTime=0xb0bd8d00, dwHighDateTime=0x1d3322a)) [0066.827] GetCurrentProcessId () returned 0xa58 [0066.827] GetCurrentThreadId () returned 0xa5c [0066.827] GetTickCount () returned 0x1759c [0066.827] QueryPerformanceCounter (in: lpPerformanceCount=0x2ff93c | out: lpPerformanceCount=0x2ff93c*=385020521) returned 1 [0066.828] GetModuleHandleA (lpModuleName=0x0) returned 0x4a260000 [0066.829] __set_app_type (_Type=0x1) [0066.829] __p__fmode () returned 0x753031f4 [0066.829] __p__commode () returned 0x753031fc [0066.829] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a2821a6) returned 0x0 [0066.829] __getmainargs (in: _Argc=0x4a284238, _Argv=0x4a284240, _Env=0x4a28423c, _DoWildCard=0, _StartInfo=0x4a284140 | out: _Argc=0x4a284238, _Argv=0x4a284240, _Env=0x4a28423c) returned 0 [0066.829] GetCurrentThreadId () returned 0xa5c [0066.829] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa5c) returned 0x60 [0066.829] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x765b0000 [0066.829] GetProcAddress (hModule=0x765b0000, lpProcName="SetThreadUILanguage") returned 0x765da84f [0066.829] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.829] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0066.829] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff8d4 | out: phkResult=0x2ff8d4*=0x0) returned 0x2 [0066.829] VirtualQuery (in: lpAddress=0x2ff90b, lpBuffer=0x2ff8a4, dwLength=0x1c | out: lpBuffer=0x2ff8a4*(BaseAddress=0x2ff000, AllocationBase=0x200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.829] VirtualQuery (in: lpAddress=0x200000, lpBuffer=0x2ff8a4, dwLength=0x1c | out: lpBuffer=0x2ff8a4*(BaseAddress=0x200000, AllocationBase=0x200000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0066.830] VirtualQuery (in: lpAddress=0x201000, lpBuffer=0x2ff8a4, dwLength=0x1c | out: lpBuffer=0x2ff8a4*(BaseAddress=0x201000, AllocationBase=0x200000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0066.830] VirtualQuery (in: lpAddress=0x203000, lpBuffer=0x2ff8a4, dwLength=0x1c | out: lpBuffer=0x2ff8a4*(BaseAddress=0x203000, AllocationBase=0x200000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0066.830] VirtualQuery (in: lpAddress=0x300000, lpBuffer=0x2ff8a4, dwLength=0x1c | out: lpBuffer=0x2ff8a4*(BaseAddress=0x300000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0066.830] GetConsoleOutputCP () returned 0x1b5 [0066.830] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a284260 | out: lpCPInfo=0x4a284260) returned 1 [0066.830] SetConsoleCtrlHandler (HandlerRoutine=0x4a27e72a, Add=1) returned 1 [0066.830] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.830] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0066.830] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.830] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2841ac | out: lpMode=0x4a2841ac) returned 1 [0066.830] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.830] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.830] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.830] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2841b0 | out: lpMode=0x4a2841b0) returned 1 [0066.830] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.831] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0066.831] GetEnvironmentStringsW () returned 0x3620c0* [0066.831] FreeEnvironmentStringsW (penv=0x3620c0) returned 1 [0066.831] GetEnvironmentStringsW () returned 0x3620c0* [0066.831] FreeEnvironmentStringsW (penv=0x3620c0) returned 1 [0066.831] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2fe844 | out: phkResult=0x2fe844*=0x68) returned 0x0 [0066.831] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x0, lpData=0x2fe850*=0x0, lpcbData=0x2fe848*=0x1000) returned 0x2 [0066.831] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x4, lpData=0x2fe850*=0x1, lpcbData=0x2fe848*=0x4) returned 0x0 [0066.831] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x0, lpData=0x2fe850*=0x1, lpcbData=0x2fe848*=0x1000) returned 0x2 [0066.831] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x4, lpData=0x2fe850*=0x0, lpcbData=0x2fe848*=0x4) returned 0x0 [0066.831] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x4, lpData=0x2fe850*=0x40, lpcbData=0x2fe848*=0x4) returned 0x0 [0066.831] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x4, lpData=0x2fe850*=0x40, lpcbData=0x2fe848*=0x4) returned 0x0 [0066.831] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x0, lpData=0x2fe850*=0x40, lpcbData=0x2fe848*=0x1000) returned 0x2 [0066.831] RegCloseKey (hKey=0x68) returned 0x0 [0066.831] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2fe844 | out: phkResult=0x2fe844*=0x68) returned 0x0 [0066.832] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x0, lpData=0x2fe850*=0x40, lpcbData=0x2fe848*=0x1000) returned 0x2 [0066.832] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x4, lpData=0x2fe850*=0x1, lpcbData=0x2fe848*=0x4) returned 0x0 [0066.832] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x0, lpData=0x2fe850*=0x1, lpcbData=0x2fe848*=0x1000) returned 0x2 [0066.832] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x4, lpData=0x2fe850*=0x0, lpcbData=0x2fe848*=0x4) returned 0x0 [0066.832] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x4, lpData=0x2fe850*=0x9, lpcbData=0x2fe848*=0x4) returned 0x0 [0066.832] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x4, lpData=0x2fe850*=0x9, lpcbData=0x2fe848*=0x4) returned 0x0 [0066.832] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2fe84c, lpData=0x2fe850, lpcbData=0x2fe848*=0x1000 | out: lpType=0x2fe84c*=0x0, lpData=0x2fe850*=0x9, lpcbData=0x2fe848*=0x1000) returned 0x2 [0066.832] RegCloseKey (hKey=0x68) returned 0x0 [0066.832] time (in: timer=0x0 | out: timer=0x0) returned 0x59c29279 [0066.832] srand (_Seed=0x59c29279) [0066.832] GetCommandLineW () returned="/c del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\"" [0066.832] GetCommandLineW () returned="/c del \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe\"" [0066.832] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a285260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.832] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3620c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0066.832] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a290640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0066.832] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a290640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0066.832] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a290640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.832] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0066.832] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0066.832] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0066.832] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0066.832] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0066.832] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0066.832] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0066.832] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0066.832] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0066.832] GetEnvironmentStringsW () returned 0x3622d8* [0066.833] FreeEnvironmentStringsW (penv=0x3622d8) returned 1 [0066.833] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a290640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0066.833] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a290640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0066.833] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0066.833] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0066.833] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0066.833] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0066.833] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0066.833] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0066.833] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0066.833] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0066.833] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ff610 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x2ff610, lpFilePart=0x2ff60c | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2ff60c*="system32") returned 0x13 [0066.833] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0066.833] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x2ff38c | out: lpFindFileData=0x2ff38c) returned 0x365840 [0066.833] FindClose (in: hFindFile=0x365840 | out: hFindFile=0x365840) returned 1 [0066.833] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x2ff38c | out: lpFindFileData=0x2ff38c) returned 0x350ff0 [0066.833] FindClose (in: hFindFile=0x350ff0 | out: hFindFile=0x350ff0) returned 1 [0066.833] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0066.833] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0066.833] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0066.833] GetEnvironmentStringsW () returned 0x3641f0* [0066.834] FreeEnvironmentStringsW (penv=0x3641f0) returned 1 [0066.834] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a285260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.834] GetConsoleOutputCP () returned 0x1b5 [0066.834] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a284260 | out: lpCPInfo=0x4a284260) returned 1 [0066.834] GetUserDefaultLCID () returned 0x409 [0066.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a284950, cchData=8 | out: lpLCData=":") returned 2 [0066.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ff750, cchData=128 | out: lpLCData="0") returned 2 [0066.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ff750, cchData=128 | out: lpLCData="0") returned 2 [0066.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ff750, cchData=128 | out: lpLCData="1") returned 2 [0066.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a284940, cchData=8 | out: lpLCData="/") returned 2 [0066.834] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a284d80, cchData=32 | out: lpLCData="Mon") returned 4 [0066.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a284d40, cchData=32 | out: lpLCData="Tue") returned 4 [0066.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a284d00, cchData=32 | out: lpLCData="Wed") returned 4 [0066.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a284cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0066.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a284c80, cchData=32 | out: lpLCData="Fri") returned 4 [0066.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a284c40, cchData=32 | out: lpLCData="Sat") returned 4 [0066.835] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a284c00, cchData=32 | out: lpLCData="Sun") returned 4 [0066.835] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a284930, cchData=8 | out: lpLCData=".") returned 2 [0066.835] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a284920, cchData=8 | out: lpLCData=",") returned 2 [0066.835] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0066.836] GetConsoleTitleW (in: lpConsoleTitle=0x351080, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0066.836] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x765b0000 [0066.836] GetProcAddress (hModule=0x765b0000, lpProcName="CopyFileExW") returned 0x765e3b92 [0066.836] GetProcAddress (hModule=0x765b0000, lpProcName="IsDebuggerPresent") returned 0x765c4a5d [0066.836] GetProcAddress (hModule=0x765b0000, lpProcName="SetConsoleInputExeNameW") returned 0x765da79d [0066.836] _wcsicmp (_String1="del", _String2=")") returned 59 [0066.836] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0066.836] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0066.836] _wcsicmp (_String1="IF", _String2="del") returned 5 [0066.836] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0066.836] _wcsicmp (_String1="REM", _String2="del") returned 14 [0066.836] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0066.838] GetConsoleTitleW (in: lpConsoleTitle=0x2ff448, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0066.838] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0066.838] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0066.838] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0066.839] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x2ff200 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.839] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x2fe290 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.839] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2fe4c0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2fe4c4, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x2fe4c0*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0066.839] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0066.839] _wcsicmp (_String1="lxqfwvdqlkd.exe", _String2=".") returned 62 [0066.839] _wcsicmp (_String1="lxqfwvdqlkd.exe", _String2="..") returned 62 [0066.839] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe")) returned 0x20 [0066.840] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x363338 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0066.840] SetErrorMode (uMode=0x0) returned 0x1 [0066.840] SetErrorMode (uMode=0x1) returned 0x0 [0066.840] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", nBufferLength=0x104, lpBuffer=0x2fe8e4, lpFilePart=0x2fe8cc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", lpFilePart=0x2fe8cc*="lxqfwvdqlkd.exe") returned 0x35 [0066.840] SetErrorMode (uMode=0x1) returned 0x1 [0066.840] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0066.840] _wcsicmp (_String1="lxqfwvdqlkd.exe", _String2=".") returned 62 [0066.840] _wcsicmp (_String1="lxqfwvdqlkd.exe", _String2="..") returned 62 [0066.840] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe")) returned 0x20 [0066.840] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe", fInfoLevelId=0x0, lpFindFileData=0x36445c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x36445c) returned 0x363608 [0066.840] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lxqfwvdqlkd.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lxqfwvdqlkd.exe")) returned 1 [0066.841] FindNextFileW (in: hFindFile=0x363608, lpFindFileData=0x36445c | out: lpFindFileData=0x36445c) returned 0 [0066.842] GetLastError () returned 0x12 [0066.842] FindClose (in: hFindFile=0x363608 | out: hFindFile=0x363608) returned 1 [0066.842] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.842] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.842] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.842] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2841ac | out: lpMode=0x4a2841ac) returned 1 [0066.842] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.842] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2841b0 | out: lpMode=0x4a2841b0) returned 1 [0066.842] SetConsoleInputExeNameW () returned 0x1 [0066.843] GetConsoleOutputCP () returned 0x1b5 [0066.843] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a284260 | out: lpCPInfo=0x4a284260) returned 1 [0066.843] SetThreadUILanguage (LangId=0x0) returned 0x409 [0066.843] exit (_Code=0) Process: id = "8" image_name = "firefox.exe" filename = "c:\\program files (x86)\\mozilla firefox\\firefox.exe" page_root = "0xbc93000" os_pid = "0xb08" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xa38" cmd_line = "\"C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 939 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 940 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 941 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 942 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 943 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 944 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 945 start_va = 0x1270000 end_va = 0x12b3fff entry_point = 0x1270000 region_type = mapped_file name = "firefox.exe" filename = "\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe") Region: id = 946 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 947 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 948 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 949 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 950 start_va = 0xfffb0000 end_va = 0xfffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000fffb0000" filename = "" Region: id = 951 start_va = 0xfffdb000 end_va = 0xfffddfff entry_point = 0x0 region_type = private name = "private_0x00000000fffdb000" filename = "" Region: id = 952 start_va = 0xfffde000 end_va = 0xfffdefff entry_point = 0x0 region_type = private name = "private_0x00000000fffde000" filename = "" Region: id = 953 start_va = 0xfffdf000 end_va = 0xfffdffff entry_point = 0x0 region_type = private name = "private_0x00000000fffdf000" filename = "" Region: id = 954 start_va = 0xfffe0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x00000000fffe0000" filename = "" Region: id = 955 start_va = 0x60000 end_va = 0x62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 956 start_va = 0x3c0000 end_va = 0x8a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 958 start_va = 0x70000 end_va = 0xfafff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 960 start_va = 0x1270000 end_va = 0x12b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 962 start_va = 0xaa0000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 963 start_va = 0x73a70000 end_va = 0x73acbfff entry_point = 0x73aaf798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 964 start_va = 0x73ad0000 end_va = 0x73b0efff entry_point = 0x73afde78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 965 start_va = 0x73b40000 end_va = 0x73b47fff entry_point = 0x73b420f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 966 start_va = 0xd10000 end_va = 0xd4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 967 start_va = 0x75320000 end_va = 0x75365fff entry_point = 0x75327478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 968 start_va = 0x765b0000 end_va = 0x766bffff entry_point = 0x765c32d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 969 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x0 region_type = private name = "private_0x0000000077160000" filename = "" Region: id = 970 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x0 region_type = private name = "private_0x0000000077260000" filename = "" Region: id = 971 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 972 start_va = 0x100000 end_va = 0x166fff entry_point = 0x100000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 973 start_va = 0x74740000 end_va = 0x747fdfff entry_point = 0x74740000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\msvcr100.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcr100.dll") Region: id = 974 start_va = 0x750b0000 end_va = 0x750bbfff entry_point = 0x750b10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 975 start_va = 0x750c0000 end_va = 0x7511ffff entry_point = 0x750da3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 976 start_va = 0x75120000 end_va = 0x7521ffff entry_point = 0x7513b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 977 start_va = 0x75240000 end_va = 0x75258fff entry_point = 0x75244975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 978 start_va = 0x75260000 end_va = 0x7530bfff entry_point = 0x7526a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 979 start_va = 0x753c0000 end_va = 0x754affff entry_point = 0x753d0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 980 start_va = 0x754e0000 end_va = 0x7556ffff entry_point = 0x754f6343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 981 start_va = 0x76750000 end_va = 0x76759fff entry_point = 0x767536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 982 start_va = 0x76760000 end_va = 0x767fffff entry_point = 0x767749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 983 start_va = 0x76b30000 end_va = 0x76bccfff entry_point = 0x76b63fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 984 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 985 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 986 start_va = 0x8b0000 end_va = 0xa37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 987 start_va = 0xa80000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 988 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a0168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 989 start_va = 0x76ad0000 end_va = 0x76b2ffff entry_point = 0x76ae158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 990 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 991 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 992 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 993 start_va = 0xb20000 end_va = 0xca0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 994 start_va = 0xd50000 end_va = 0xecffff entry_point = 0xd50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 995 start_va = 0x12c0000 end_va = 0x26bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012c0000" filename = "" Region: id = 996 start_va = 0x75380000 end_va = 0x753b4fff entry_point = 0x7538145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 997 start_va = 0x76bd0000 end_va = 0x76bd5fff entry_point = 0x76bd1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 998 start_va = 0x74510000 end_va = 0x74578fff entry_point = 0x74510000 region_type = mapped_file name = "msvcp100.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\msvcp100.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcp100.dll") Region: id = 999 start_va = 0x74580000 end_va = 0x74734fff entry_point = 0x746e2823 region_type = mapped_file name = "nss3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\nss3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nss3.dll") Region: id = 1000 start_va = 0x74b50000 end_va = 0x74b71fff entry_point = 0x74b50000 region_type = mapped_file name = "mozglue.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\mozglue.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozglue.dll") Region: id = 1001 start_va = 0x74b80000 end_va = 0x74bb1fff entry_point = 0x74b837f1 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 1002 start_va = 0x74f90000 end_va = 0x74f96fff entry_point = 0x74f91120 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 1003 start_va = 0xed0000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 1004 start_va = 0x768e0000 end_va = 0x769fcfff entry_point = 0x768e158a region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1005 start_va = 0x77530000 end_va = 0x7753bfff entry_point = 0x7753238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1006 start_va = 0x1000000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1007 start_va = 0x26c0000 end_va = 0x298efff entry_point = 0x26c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1008 start_va = 0x744e0000 end_va = 0x74506fff entry_point = 0x744e0000 region_type = mapped_file name = "softokn3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\softokn3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.dll") Region: id = 1009 start_va = 0x74f70000 end_va = 0x74f86fff entry_point = 0x74f70000 region_type = mapped_file name = "nssdbm3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.dll") Region: id = 1010 start_va = 0x180000 end_va = 0x186fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1011 start_va = 0x190000 end_va = 0x191fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1012 start_va = 0x2990000 end_va = 0x2d82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002990000" filename = "" Region: id = 1013 start_va = 0x74490000 end_va = 0x744defff entry_point = 0x74490000 region_type = mapped_file name = "freebl3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\freebl3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.dll") Region: id = 1014 start_va = 0x75790000 end_va = 0x763d9fff entry_point = 0x75811601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1015 start_va = 0x77100000 end_va = 0x77156fff entry_point = 0x77119ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Thread: id = 46 os_tid = 0xb0c [0082.577] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x3bfe2c | out: HeapArray=0x3bfe2c*=0xd10000) returned 0x3 [0082.583] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x3bfb3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.585] NtCreateFile (in: FileHandle=0x3bfb68, DesiredAccess=0x1200a0, ObjectAttributes=0x3bfb24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x3bfb44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x3bfb68*=0x58, IoStatusBlock=0x3bfb44*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.593] NtCreateSection (in: SectionHandle=0x3bfac4, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x58 | out: SectionHandle=0x3bfac4*=0x5c) returned 0x0 [0082.595] NtMapViewOfSection (in: SectionHandle=0x5c, ProcessHandle=0xffffffff, BaseAddress=0x3bfac0*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x3bfabc*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x3bfac0*=0xd50000, SectionOffset=0x0, ViewSize=0x3bfabc*=0x180000) returned 0x40000003 [0082.597] NtClose (Handle=0x58) returned 0x0 [0082.597] NtClose (Handle=0x5c) returned 0x0 [0082.599] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3bfb70*=0xd50000, NumberOfBytesToProtect=0x3bfb80, NewAccessProtection=0x40, OldAccessProtection=0x3bfb6c | out: BaseAddress=0x3bfb70*=0xd50000, NumberOfBytesToProtect=0x3bfb80, OldAccessProtection=0x3bfb6c*=0x2) returned 0x0 [0082.599] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3bfb64*=0xd60000, NumberOfBytesToProtect=0x3bfb68, NewAccessProtection=0x40, OldAccessProtection=0x3bfb6c | out: BaseAddress=0x3bfb64*=0xd60000, NumberOfBytesToProtect=0x3bfb68, OldAccessProtection=0x3bfb6c*=0x20) returned 0x0 [0082.600] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3bfb64*=0xe40000, NumberOfBytesToProtect=0x3bfb68, NewAccessProtection=0x40, OldAccessProtection=0x3bfb6c | out: BaseAddress=0x3bfb64*=0xe40000, NumberOfBytesToProtect=0x3bfb68, OldAccessProtection=0x3bfb6c*=0x20) returned 0x0 [0082.601] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3bfb64*=0xe50000, NumberOfBytesToProtect=0x3bfb68, NewAccessProtection=0x40, OldAccessProtection=0x3bfb6c | out: BaseAddress=0x3bfb64*=0xe50000, NumberOfBytesToProtect=0x3bfb68, OldAccessProtection=0x3bfb6c*=0x8) returned 0x0 [0082.601] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3bfb64*=0xe60000, NumberOfBytesToProtect=0x3bfb68, NewAccessProtection=0x40, OldAccessProtection=0x3bfb6c | out: BaseAddress=0x3bfb64*=0xe60000, NumberOfBytesToProtect=0x3bfb68, OldAccessProtection=0x3bfb6c*=0x2) returned 0x0 [0082.601] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3bfb64*=0xec0000, NumberOfBytesToProtect=0x3bfb68, NewAccessProtection=0x40, OldAccessProtection=0x3bfb6c | out: BaseAddress=0x3bfb64*=0xec0000, NumberOfBytesToProtect=0x3bfb68, OldAccessProtection=0x3bfb6c*=0x2) returned 0x0 Process: id = "9" image_name = "igfxonux.scr" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr" page_root = "0x3f60000" os_pid = "0x53c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "modified_file" parent_id = "6" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /S" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e25d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1019 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1020 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1021 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1022 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1023 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1024 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1025 start_va = 0x400000 end_va = 0x447fff entry_point = 0x400000 region_type = mapped_file name = "igfxonux.scr" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr") Region: id = 1026 start_va = 0x772b0000 end_va = 0x77458fff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1027 start_va = 0x77490000 end_va = 0x7760ffff entry_point = 0x77490000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1028 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1029 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1030 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1031 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1032 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1033 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1034 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1156 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1157 start_va = 0x73a00000 end_va = 0x73a07fff entry_point = 0x73a00000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1158 start_va = 0x73a10000 end_va = 0x73a6bfff entry_point = 0x73a10000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1159 start_va = 0x73a70000 end_va = 0x73aaefff entry_point = 0x73a70000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1160 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1161 start_va = 0x76720000 end_va = 0x7682ffff entry_point = 0x76720000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1162 start_va = 0x76e10000 end_va = 0x76e55fff entry_point = 0x76e10000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1163 start_va = 0x77090000 end_va = 0x771aefff entry_point = 0x0 region_type = private name = "private_0x0000000077090000" filename = "" Region: id = 1164 start_va = 0x771b0000 end_va = 0x772a9fff entry_point = 0x0 region_type = private name = "private_0x00000000771b0000" filename = "" Region: id = 1165 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1166 start_va = 0x380000 end_va = 0x3e6fff entry_point = 0x380000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1167 start_va = 0x72940000 end_va = 0x72a92fff entry_point = 0x72940000 region_type = mapped_file name = "msvbvm60.dll" filename = "\\Windows\\SysWOW64\\msvbvm60.dll" (normalized: "c:\\windows\\syswow64\\msvbvm60.dll") Region: id = 1168 start_va = 0x74fe0000 end_va = 0x74febfff entry_point = 0x74fe0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1169 start_va = 0x74ff0000 end_va = 0x7504ffff entry_point = 0x74ff0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1170 start_va = 0x760d0000 end_va = 0x7615efff entry_point = 0x760d0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1171 start_va = 0x76260000 end_va = 0x762fffff entry_point = 0x76260000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1172 start_va = 0x76300000 end_va = 0x7638ffff entry_point = 0x76300000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1173 start_va = 0x768f0000 end_va = 0x769dffff entry_point = 0x768f0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1174 start_va = 0x76b00000 end_va = 0x76c5bfff entry_point = 0x76b00000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1175 start_va = 0x76ca0000 end_va = 0x76d4bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1176 start_va = 0x76d50000 end_va = 0x76d59fff entry_point = 0x76d50000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1177 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1178 start_va = 0x76e70000 end_va = 0x76e88fff entry_point = 0x76e70000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1179 start_va = 0x76f90000 end_va = 0x7708ffff entry_point = 0x76f90000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1180 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1181 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1182 start_va = 0x450000 end_va = 0x5d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1183 start_va = 0x640000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 1184 start_va = 0x76160000 end_va = 0x7622bfff entry_point = 0x76160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1185 start_va = 0x764d0000 end_va = 0x7652ffff entry_point = 0x764d0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1186 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1187 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1188 start_va = 0x650000 end_va = 0x7d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 1189 start_va = 0x7e0000 end_va = 0x1bdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1190 start_va = 0x1c80000 end_va = 0x1c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 1191 start_va = 0x1c90000 end_va = 0x208ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c90000" filename = "" Region: id = 1192 start_va = 0x2090000 end_va = 0x235efff entry_point = 0x2090000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1193 start_va = 0x2360000 end_va = 0x24affff entry_point = 0x0 region_type = private name = "private_0x0000000002360000" filename = "" Region: id = 1194 start_va = 0x2590000 end_va = 0x25cffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 1195 start_va = 0x737e0000 end_va = 0x7385ffff entry_point = 0x737e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1196 start_va = 0x1be0000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001be0000" filename = "" Region: id = 1197 start_va = 0x2360000 end_va = 0x243efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002360000" filename = "" Region: id = 1198 start_va = 0x2470000 end_va = 0x24affff entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 1199 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1200 start_va = 0x26d0000 end_va = 0x26dffff entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 1201 start_va = 0x73990000 end_va = 0x739eefff entry_point = 0x73990000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 1202 start_va = 0x72d60000 end_va = 0x72d72fff entry_point = 0x72d60000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 1203 start_va = 0x1b0000 end_va = 0x1b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1204 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1205 start_va = 0x26e0000 end_va = 0x2ad2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026e0000" filename = "" Region: id = 1206 start_va = 0x2ae0000 end_va = 0x340ffff entry_point = 0x2ae0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 1207 start_va = 0x74f70000 end_va = 0x74fc0fff entry_point = 0x74f70000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv") Region: id = 1208 start_va = 0x25d0000 end_va = 0x26bffff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1214 start_va = 0x5e0000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1215 start_va = 0x3410000 end_va = 0x350ffff entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 1216 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1217 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1218 start_va = 0x250000 end_va = 0x250fff entry_point = 0x250000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\msctf.dll.mui") Region: id = 1219 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 1220 start_va = 0x260000 end_va = 0x260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 1221 start_va = 0x76830000 end_va = 0x768b2fff entry_point = 0x76830000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1222 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 1223 start_va = 0x24b0000 end_va = 0x252ffff entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 1224 start_va = 0x3f0000 end_va = 0x3f8fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1225 start_va = 0x3510000 end_va = 0x750ffff entry_point = 0x0 region_type = private name = "private_0x0000000003510000" filename = "" Region: id = 1226 start_va = 0x1be0000 end_va = 0x1c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001be0000" filename = "" Region: id = 1227 start_va = 0x1c40000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 1228 start_va = 0x2530000 end_va = 0x256ffff entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 1229 start_va = 0x7510000 end_va = 0x760ffff entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 1230 start_va = 0x7610000 end_va = 0x770ffff entry_point = 0x0 region_type = private name = "private_0x0000000007610000" filename = "" Region: id = 1231 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1232 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1233 start_va = 0x75080000 end_va = 0x75cc9fff entry_point = 0x75080000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1234 start_va = 0x75cd0000 end_va = 0x75d26fff entry_point = 0x75cd0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1235 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Thread: id = 51 os_tid = 0x540 [0113.074] GetVersion () returned 0x1db10106 [0113.075] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76720000 [0113.076] GetProcAddress (hModule=0x76720000, lpProcName="IsTNT") returned 0x0 [0113.076] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x1c90000 [0113.077] VirtualAlloc (lpAddress=0x1c90000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x1c90000 [0113.077] GetCurrentThreadId () returned 0x540 [0113.077] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /S" [0113.077] GetEnvironmentStringsW () returned 0x2947e0* [0113.077] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1409, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1409 [0113.078] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1409, lpMultiByteStr=0x1c807d0, cbMultiByte=1409, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1409 [0113.078] FreeEnvironmentStringsW (penv=0x2947e0) returned 1 [0113.078] GetStartupInfoA (in: lpStartupInfo=0x18f9b8 | out: lpStartupInfo=0x18f9b8*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0113.078] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0113.078] GetFileType (hFile=0x0) returned 0x0 [0113.078] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0113.078] GetFileType (hFile=0x0) returned 0x0 [0113.078] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0113.078] GetFileType (hFile=0x0) returned 0x0 [0113.078] SetHandleCount (uNumber=0x20) returned 0x20 [0113.078] GetACP () returned 0x4e4 [0113.078] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9e0 | out: lpCPInfo=0x18f9e0) returned 1 [0113.078] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x72a4c528, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr")) returned 0x3a [0113.079] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x76720000 [0113.079] GetProcAddress (hModule=0x76720000, lpProcName="IsProcessorFeaturePresent") returned 0x76735235 [0113.079] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0113.080] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x7c [0113.080] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x80 [0113.080] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0113.080] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x72a4e6c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0113.080] GetVersion () returned 0x1db10106 [0113.080] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0113.082] GetUserDefaultLCID () returned 0x409 [0113.082] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0113.082] GetSystemMetrics (nIndex=5) returned 1 [0113.082] GetSystemMetrics (nIndex=6) returned 1 [0113.082] GetSystemMetrics (nIndex=11) returned 32 [0113.082] GetSystemMetrics (nIndex=12) returned 32 [0113.082] GetSystemMetrics (nIndex=34) returned 132 [0113.082] GetSystemMetrics (nIndex=35) returned 38 [0113.082] GetSystemMetrics (nIndex=0) returned 1440 [0113.082] GetSystemMetrics (nIndex=1) returned 900 [0113.082] GetSystemMetrics (nIndex=32) returned 8 [0113.082] GetSystemMetrics (nIndex=33) returned 8 [0113.082] GetSystemMetrics (nIndex=42) returned 0 [0113.082] GetStockObject (i=15) returned 0x188000b [0113.082] GetStockObject (i=7) returned 0x1b00017 [0113.082] GetStockObject (i=6) returned 0x1b00018 [0113.082] GetStockObject (i=8) returned 0x1b00016 [0113.082] GetStockObject (i=4) returned 0x1900011 [0113.082] GetStockObject (i=2) returned 0x1900012 [0113.082] GetStockObject (i=0) returned 0x1900010 [0113.082] GetStockObject (i=5) returned 0x1900015 [0113.082] GetStockObject (i=13) returned 0x18a002e [0113.082] GetDC (hWnd=0x0) returned 0x1401007f [0113.083] GetTextExtentPointA (in: hdc=0x1401007f, lpString="0", c=1, lpsz=0x18f9dc | out: lpsz=0x18f9dc) returned 1 [0113.109] GetDeviceCaps (hdc=0x1401007f, index=14) returned 1 [0113.109] GetDeviceCaps (hdc=0x1401007f, index=12) returned 32 [0113.109] GetDeviceCaps (hdc=0x1401007f, index=88) returned 96 [0113.109] GetDeviceCaps (hdc=0x1401007f, index=90) returned 96 [0113.109] GetDeviceCaps (hdc=0x1401007f, index=38) returned 32409 [0113.109] ReleaseDC (hWnd=0x0, hDC=0x1401007f) returned 1 [0113.109] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e7d0 | out: ppMalloc=0x72a4e7d0*=0x76c466bc) returned 0x0 [0113.109] GetCurrentThreadId () returned 0x540 [0113.109] GetStartupInfoA (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0113.109] GetCurrentThreadId () returned 0x540 [0113.109] GetCurrentThreadId () returned 0x540 [0113.109] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /S" [0113.109] lstrlenA (lpString="/S") returned 2 [0113.109] lstrcpyA (in: lpString1=0x18feac, lpString2="/S" | out: lpString1="/S") returned="/S" [0113.109] SetErrorMode (uMode=0x8001) returned 0x0 [0113.110] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fb68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0113.110] GetUserDefaultLCID () returned 0x409 [0113.110] lstrcpyA (in: lpString1=0x18f868, lpString2="*" | out: lpString1="*") returned="*" [0113.110] LoadStringA (in: hInstance=0x72940000, uID=0x7d1, lpBuffer=0x18fc6c, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0113.110] GetSystemDefaultLCID () returned 0x409 [0113.110] GetUserDefaultLCID () returned 0x409 [0113.110] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x18fc76, cchData=2 | out: lpLCData=".") returned 2 [0113.110] GetStockObject (i=13) returned 0x18a002e [0113.110] GetObjectA (in: h=0x18a002e, c=60, pv=0x18fc3c | out: pv=0x18fc3c) returned 60 [0113.110] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0113.110] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0113.110] lstrlenA (lpString="{xx}") returned 4 [0113.110] lstrlenA (lpString="VB98.CHM") returned 8 [0113.110] lstrcpyA (in: lpString1=0x72a4eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0113.110] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0113.110] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0113.110] lstrlenA (lpString="{xx}") returned 4 [0113.110] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0113.110] lstrcpyA (in: lpString1=0x72a4ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0113.110] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fd90, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr")) returned 0x3a [0113.110] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0113.110] lstrcpynA (in: lpString1=0x18fb70, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL", iMaxLength=260 | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0113.110] lstrlenA (lpString="C:\\Windows\\system32\\MSVBVM60.DLL") returned 32 [0113.110] lstrcpyA (in: lpString1=0x25917b0, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL" | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0113.110] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", cchSrc=-1, lpDestStr=0x18fb50, cchDest=260 | out: lpDestStr="C:\\USERS\\5P5NRGJN0JS HALPMCXZ\\APPDATA\\ROAMING\\IGFXONUX.SCR") returned 59 [0113.111] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fc54, dwRevision=0x1 | out: pSecurityDescriptor=0x18fc54) returned 1 [0113.111] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fc54, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fc54) returned 1 [0113.111] CreateSemaphoreA (lpSemaphoreAttributes=0x18fc68, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?5P5NRGJN0JS HALPMCXZ?APPDATA?ROAMING?IGFXONUX.SCR") returned 0x90 [0113.111] GetLastError () returned 0x0 [0113.111] GetVersionExA (in: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0113.111] OleInitialize (pvReserved=0x0) returned 0x0 [0113.435] lstrlenA (lpString="/Embedding") returned 10 [0113.435] lstrlenA (lpString="/S") returned 2 [0113.435] lstrlenA (lpString="-Embedding") returned 10 [0113.435] lstrlenA (lpString="/UnRegServer") returned 12 [0113.435] lstrlenA (lpString="/S") returned 2 [0113.435] lstrlenA (lpString="/RegServer") returned 10 [0113.435] lstrlenA (lpString="/S") returned 2 [0113.436] OaBuildVersion () returned 0x321396 [0113.436] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x760d0000 [0113.436] GetLastError () returned 0x0 [0113.436] GetProcAddress (hModule=0x760d0000, lpProcName="OleLoadPictureEx") returned 0x761370a1 [0113.436] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc10c [0113.436] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0b1 [0113.436] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBFocusRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0113.436] RegisterClassA (lpWndClass=0x18fc34) returned 0xc109 [0113.436] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBBubbleRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0113.436] RegisterClassA (lpWndClass=0x18fc34) returned 0xc10a [0113.437] GetUserDefaultLCID () returned 0x409 [0113.437] GetSystemInfo (in: lpSystemInfo=0x18fbf4 | out: lpSystemInfo=0x18fbf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0113.437] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x1a0000 [0113.438] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.438] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.438] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.438] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.438] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.438] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.438] VirtualProtect (in: lpAddress=0x1a0000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x18fc50 | out: lpflOldProtect=0x18fc50*=0x4) returned 1 [0113.438] GetCurrentProcess () returned 0xffffffff [0113.438] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x1a0000, dwSize=0x6000) returned 1 [0113.438] GlobalAddAtomA (lpString="VBDisabled") returned 0xc03a [0113.438] GetVersion () returned 0x1db10106 [0113.438] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x760d0000 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="DispCallFunc") returned 0x760e3dcf [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="LoadTypeLibEx") returned 0x760e07b7 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="UnRegisterTypeLib") returned 0x76101ca9 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="CreateTypeLib2") returned 0x760e8e70 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarDateFromUdate") returned 0x760e7684 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarUdateFromDate") returned 0x760ecc98 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="GetAltMonthNames") returned 0x7611903a [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarNumFromParseNum") returned 0x760e6231 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarParseNumFromStr") returned 0x760e5fea [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarDecFromR4") returned 0x760f3f94 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarDecFromR8") returned 0x760f4e9e [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarDecFromDate") returned 0x7611db72 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarDecFromI4") returned 0x76102a8c [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarDecFromCy") returned 0x7611d737 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="VarR4FromDec") returned 0x7611e015 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x7611cc3d [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="GetRecordInfoFromGuids") returned 0x7611d1c4 [0113.439] GetProcAddress (hModule=0x760d0000, lpProcName="SafeArrayGetRecordInfo") returned 0x7611d48c [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="SafeArraySetRecordInfo") returned 0x7611d4c6 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="SafeArrayGetIID") returned 0x7611d509 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="SafeArraySetIID") returned 0x760ee7bb [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="SafeArrayCopyData") returned 0x760ee496 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x760eddf1 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="SafeArrayCreateEx") returned 0x7611d53f [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarFormat") returned 0x76122055 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarFormatDateTime") returned 0x761220ea [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarFormatNumber") returned 0x76122151 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarFormatPercent") returned 0x761221f5 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarFormatCurrency") returned 0x76122288 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarWeekdayName") returned 0x76122335 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarMonthName") returned 0x761223d5 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarAdd") returned 0x760f5934 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarAnd") returned 0x760f5a98 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarCat") returned 0x760f59b4 [0113.440] GetProcAddress (hModule=0x760d0000, lpProcName="VarDiv") returned 0x7614e405 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarEqv") returned 0x7614ef07 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarIdiv") returned 0x7614f00a [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarImp") returned 0x7614ef47 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarMod") returned 0x7614f15e [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarMul") returned 0x7614dbd4 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarOr") returned 0x7614ecfa [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarPow") returned 0x7614ea66 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarSub") returned 0x7614d332 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarXor") returned 0x7614ee2e [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarAbs") returned 0x7614ca11 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarFix") returned 0x7614cc5f [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarInt") returned 0x7614cde7 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarNeg") returned 0x7614c802 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarNot") returned 0x7614ec66 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarRound") returned 0x7614d155 [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarCmp") returned 0x760eb0dc [0113.441] GetProcAddress (hModule=0x760d0000, lpProcName="VarDecAdd") returned 0x76105f3e [0113.442] GetProcAddress (hModule=0x760d0000, lpProcName="VarDecCmp") returned 0x760f4fd0 [0113.442] GetProcAddress (hModule=0x760d0000, lpProcName="VarBstrCat") returned 0x760f0d2c [0113.442] GetProcAddress (hModule=0x760d0000, lpProcName="VarCyMulI4") returned 0x761059ed [0113.442] GetProcAddress (hModule=0x760d0000, lpProcName="VarBstrCmp") returned 0x760df8b8 [0113.442] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76b00000 [0113.442] GetProcAddress (hModule=0x76b00000, lpProcName="CoCreateInstanceEx") returned 0x76b49d4e [0113.442] GetProcAddress (hModule=0x76b00000, lpProcName="CLSIDFromProgIDEx") returned 0x76b10782 [0113.442] GetSystemMetrics (nIndex=42) returned 0 [0113.442] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e688 | out: ppMalloc=0x72a4e688*=0x76c466bc) returned 0x0 [0113.442] IMalloc:Alloc (This=0x76c466bc, cb=0x4) returned 0x294bc0 [0113.442] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f968, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr")) returned 0x3a [0113.443] lstrcatA (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", lpString2=".cfg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr.cfg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr.cfg" [0113.443] SetLastError (dwErrCode=0x0) [0113.443] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x18f864, lpFilePart=0x18f838 | out: lpBuffer="|ú\x18", lpFilePart=0x18f838) returned 0x0 [0113.443] SetLastError (dwErrCode=0x2) [0113.443] GetLastError () returned 0x2 [0113.443] lstrcmpiA (lpString1="igfxonux", lpString2="MTX") returned -1 [0113.443] lstrcmpiA (lpString1="igfxonux", lpString2="DLLHOST") returned 1 [0113.443] lstrcmpiA (lpString1="igfxonux", lpString2="INETINFO") returned -1 [0113.443] lstrcmpiA (lpString1="igfxonux", lpString2="W3WP") returned -1 [0113.443] lstrcmpiA (lpString1="igfxonux", lpString2="ASPNET_WP") returned 1 [0113.443] lstrcmpiA (lpString1="igfxonux", lpString2="DLLHST3G") returned 1 [0113.443] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f95c, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr")) returned 0x3a [0113.443] lstrcmpiA (lpString1="igfxonux", lpString2="IEXPLORE") returned 1 [0113.443] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x73990000 [0113.455] GetLastError () returned 0x0 [0113.455] GetProcAddress (hModule=0x73990000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x739d7685 [0113.455] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18feac, cbMultiByte=-1, lpWideCharStr=0x18fea4, cchWideChar=3 | out: lpWideCharStr="/S") returned 3 [0113.455] CoRegisterMessageFilter (in: lpMessageFilter=0x2592054, lplpMessageFilter=0x259205c | out: lplpMessageFilter=0x259205c*=0x0) returned 0x0 [0113.455] IUnknown:AddRef (This=0x2592054) returned 0x2 [0113.455] GetClassInfoExA (in: hInstance=0x72940000, lpszClass="ThunderRT6Main", lpwcx=0x18fe78 | out: lpwcx=0x18fe78) returned 0 [0113.456] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0x200e9 [0113.456] GetModuleHandleA (lpModuleName="USER32") returned 0x76f90000 [0113.456] GetProcAddress (hModule=0x76f90000, lpProcName="GetSystemMetrics") returned 0x76fa7d2f [0113.456] GetProcAddress (hModule=0x76f90000, lpProcName="MonitorFromWindow") returned 0x76fb3150 [0113.456] GetProcAddress (hModule=0x76f90000, lpProcName="MonitorFromRect") returned 0x76fce7a0 [0113.456] GetProcAddress (hModule=0x76f90000, lpProcName="MonitorFromPoint") returned 0x76fb5281 [0113.456] GetProcAddress (hModule=0x76f90000, lpProcName="EnumDisplayMonitors") returned 0x76fb451a [0113.456] GetProcAddress (hModule=0x76f90000, lpProcName="GetMonitorInfoA") returned 0x76fb4413 [0113.456] GetSystemMetrics (nIndex=0) returned 1440 [0113.456] GetSystemMetrics (nIndex=78) returned 1440 [0113.456] GetSystemMetrics (nIndex=1) returned 900 [0113.456] GetSystemMetrics (nIndex=79) returned 900 [0113.456] GetSystemMetrics (nIndex=50) returned 16 [0113.457] GetSystemMetrics (nIndex=49) returned 16 [0113.457] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0x200eb [0113.457] RegisterClassExA (param_1=0x18fe78) returned 0x8ec108 [0113.457] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x2010e [0113.457] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x81, wParam=0x0, lParam=0x18fa5c) returned 0x1 [0113.459] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x83, wParam=0x0, lParam=0x18fa48) returned 0x0 [0113.459] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x1, wParam=0x0, lParam=0x18fa5c) returned 0x0 [0113.459] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0113.459] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0113.459] MonitorFromWindow (hwnd=0x2010e, dwFlags=0x2) returned 0x10001 [0113.459] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x18fe80 | out: lpmi=0x18fe80) returned 1 [0113.459] SetWindowPos (hWnd=0x2010e, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0113.459] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x46, wParam=0x0, lParam=0x18fe20) returned 0x0 [0113.459] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x47, wParam=0x0, lParam=0x18fe20) returned 0x0 [0113.459] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0113.463] ShowWindow (hWnd=0x2010e, nCmdShow=4) returned 0 [0113.463] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0113.463] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x46, wParam=0x0, lParam=0x18fe34) returned 0x0 [0113.463] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x47, wParam=0x0, lParam=0x18fe34) returned 0x0 [0113.463] GetWindowThreadProcessId (in: hWnd=0x2010e, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x540 [0113.463] VirtualQuery (in: lpAddress=0x18fea8, lpBuffer=0x18fe8c, dwLength=0x1c | out: lpBuffer=0x18fe8c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0113.463] GetUserDefaultLCID () returned 0x409 [0113.463] IsValidCodePage (CodePage=0x3a4) returned 1 [0113.464] IsValidCodePage (CodePage=0x3b5) returned 1 [0113.465] IsValidCodePage (CodePage=0x3b6) returned 1 [0113.465] IsValidCodePage (CodePage=0x3a8) returned 1 [0113.468] GetUserDefaultLangID () returned 0x409 [0113.468] GetSystemDefaultLangID () returned 0x290409 [0113.469] GetSystemMetrics (nIndex=42) returned 0 [0113.469] IMalloc:Alloc (This=0x76c466bc, cb=0xa8) returned 0x29e438 [0113.469] IMalloc:GetSize (This=0x76c466bc, pv=0x29e438) returned 0xa8 [0113.469] IMalloc:Alloc (This=0x76c466bc, cb=0xc) returned 0x29db60 [0113.469] GetCurrentThreadId () returned 0x540 [0113.469] IMalloc:Alloc (This=0x76c466bc, cb=0x3c) returned 0x294c68 [0113.469] IMalloc:Alloc (This=0x76c466bc, cb=0x1c) returned 0x29a408 [0113.469] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fe74 | out: phkResult=0x18fe74*=0x0) returned 0x2 [0113.469] IMalloc:Alloc (This=0x76c466bc, cb=0x1c) returned 0x29a430 [0113.469] GetCurrentThreadId () returned 0x540 [0113.469] SetWindowsHookExA (idHook=-1, lpfn=0x729a1e09, hmod=0x0, dwThreadId=0x540) returned 0x300e5 [0113.470] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x18fdcc | out: lpWndClass=0x18fdcc) returned 0 [0113.470] RegisterClassA (lpWndClass=0x18fdcc) returned 0x98c105 [0113.470] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x10114 [0113.470] NtdllDefWindowProc_A (hWnd=0x10114, Msg=0x81, wParam=0x0, lParam=0x18fa08) returned 0x1 [0113.470] NtdllDefWindowProc_A (hWnd=0x10114, Msg=0x83, wParam=0x0, lParam=0x18f9f4) returned 0x0 [0113.470] NtdllDefWindowProc_A (hWnd=0x10114, Msg=0x1, wParam=0x0, lParam=0x18fa08) returned 0x0 [0113.470] NtdllDefWindowProc_A (hWnd=0x10114, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0113.470] NtdllDefWindowProc_A (hWnd=0x10114, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0113.470] SetWindowLongA (hWnd=0x10114, nIndex=0, dwNewLong=39395484) returned 0 [0113.470] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0113.470] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0113.470] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0113.470] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0113.470] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0113.470] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0113.471] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0113.471] CreateCompatibleDC (hdc=0x0) returned 0x80107d3 [0113.471] GetCurrentObject (hdc=0x80107d3, type=0x7) returned 0x185000f [0113.471] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x2010e, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x10116 [0113.471] NtdllDefWindowProc_A (hWnd=0x10116, Msg=0x81, wParam=0x0, lParam=0x18fa98) returned 0x1 [0113.471] NtdllDefWindowProc_A (hWnd=0x10116, Msg=0x83, wParam=0x0, lParam=0x18fa84) returned 0x0 [0113.471] NtdllDefWindowProc_A (hWnd=0x10116, Msg=0x1, wParam=0x0, lParam=0x18fa98) returned 0x0 [0113.471] NtdllDefWindowProc_A (hWnd=0x10116, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0113.471] NtdllDefWindowProc_A (hWnd=0x10116, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0113.471] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x210, wParam=0x1, lParam=0x10116) returned 0x0 [0113.471] GetCurrentThreadId () returned 0x540 [0113.471] GetCurrentThreadId () returned 0x540 [0113.472] lstrlenA (lpString="VB") returned 2 [0113.472] lstrlenA (lpString="CommandButton") returned 13 [0113.473] lstrlenA (lpString="VB") returned 2 [0113.473] lstrlenA (lpString="Printer") returned 7 [0113.473] lstrlenA (lpString="VB") returned 2 [0113.473] lstrlenA (lpString="Form") returned 4 [0113.473] lstrlenA (lpString="VB") returned 2 [0113.473] lstrlenA (lpString="Screen") returned 6 [0113.485] lstrlenA (lpString="VB") returned 2 [0113.485] lstrlenA (lpString="Clipboard") returned 9 [0113.485] lstrlenA (lpString="VB") returned 2 [0113.485] lstrlenA (lpString="MDIForm") returned 7 [0113.485] lstrlenA (lpString="VB") returned 2 [0113.485] lstrlenA (lpString="App") returned 3 [0113.486] lstrlenA (lpString="VB") returned 2 [0113.486] lstrlenA (lpString="UserControl") returned 11 [0113.486] lstrlenA (lpString="VB") returned 2 [0113.486] lstrlenA (lpString="PropertyPage") returned 12 [0113.486] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0113.486] lstrlenA (lpString="VB") returned 2 [0113.486] lstrlenA (lpString="UserDocument") returned 12 [0113.809] GetCurrentThreadId () returned 0x540 [0113.809] GetCurrentThreadId () returned 0x540 [0113.817] GetCurrentThreadId () returned 0x540 [0113.817] GetCurrentThreadId () returned 0x540 [0113.817] GetCurrentThreadId () returned 0x540 [0113.817] GetCurrentThreadId () returned 0x540 [0113.817] lstrlenA (lpString="VB") returned 2 [0113.817] lstrlenA (lpString="PictureBox") returned 10 [0113.817] lstrlenA (lpString="VB") returned 2 [0113.817] lstrlenA (lpString="Label") returned 5 [0113.818] lstrlenA (lpString="VB") returned 2 [0113.818] lstrlenA (lpString="TextBox") returned 7 [0113.818] lstrlenA (lpString="VB") returned 2 [0113.818] lstrlenA (lpString="Frame") returned 5 [0113.818] lstrlenA (lpString="VB") returned 2 [0113.818] lstrlenA (lpString="CheckBox") returned 8 [0113.818] lstrlenA (lpString="VB") returned 2 [0113.818] lstrlenA (lpString="OptionButton") returned 12 [0113.819] lstrlenA (lpString="VB") returned 2 [0113.819] lstrlenA (lpString="ComboBox") returned 8 [0113.819] lstrlenA (lpString="VB") returned 2 [0113.819] lstrlenA (lpString="ListBox") returned 7 [0113.819] lstrlenA (lpString="VB") returned 2 [0113.819] lstrlenA (lpString="HScrollBar") returned 10 [0113.819] lstrlenA (lpString="VB") returned 2 [0113.819] lstrlenA (lpString="VScrollBar") returned 10 [0113.820] lstrlenA (lpString="VB") returned 2 [0113.820] lstrlenA (lpString="Timer") returned 5 [0113.820] lstrlenA (lpString="VB") returned 2 [0113.820] lstrlenA (lpString="DriveListBox") returned 12 [0113.820] lstrlenA (lpString="VB") returned 2 [0113.820] lstrlenA (lpString="DirListBox") returned 10 [0113.820] lstrlenA (lpString="VB") returned 2 [0113.820] lstrlenA (lpString="FileListBox") returned 11 [0113.821] lstrlenA (lpString="VB") returned 2 [0113.821] lstrlenA (lpString="Menu") returned 4 [0113.821] lstrlenA (lpString="VB") returned 2 [0113.821] lstrlenA (lpString="Shape") returned 5 [0113.821] lstrlenA (lpString="VB") returned 2 [0113.821] lstrlenA (lpString="Line") returned 4 [0113.821] lstrlenA (lpString="VB") returned 2 [0113.821] lstrlenA (lpString="Image") returned 5 [0113.822] lstrlenA (lpString="VB") returned 2 [0113.822] lstrlenA (lpString="Data") returned 4 [0113.822] lstrlenA (lpString="VB") returned 2 [0113.822] lstrlenA (lpString="OLE") returned 3 [0113.858] IMalloc:Alloc (This=0x76c466bc, cb=0x64) returned 0x299dc8 [0113.858] IMalloc:Alloc (This=0x76c466bc, cb=0x64) returned 0x29acb8 [0113.858] IMalloc:Alloc (This=0x76c466bc, cb=0x64) returned 0x29e4e8 [0113.858] IMalloc:Alloc (This=0x76c466bc, cb=0x64) returned 0x29e558 [0113.858] IMalloc:Alloc (This=0x76c466bc, cb=0xc) returned 0x29db78 [0113.858] IMalloc:Alloc (This=0x76c466bc, cb=0x68) returned 0x29e5c8 [0113.858] IMalloc:GetSize (This=0x76c466bc, pv=0x29e5c8) returned 0x68 [0113.858] IMalloc:Alloc (This=0x76c466bc, cb=0x20) returned 0x29a5e8 [0113.890] GetCurrentThreadId () returned 0x540 [0113.890] GetCurrentThreadId () returned 0x540 [0113.890] IMalloc:Alloc (This=0x76c466bc, cb=0x1c) returned 0x29a610 [0113.890] VirtualProtect (in: lpAddress=0x1a0000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x20) returned 1 [0113.890] GetCurrentProcess () returned 0xffffffff [0113.890] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x1a0000, dwSize=0x6000) returned 1 [0113.890] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.891] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.891] VirtualAlloc (lpAddress=0x1a0000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.891] VirtualAlloc (lpAddress=0x1a0000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x1a0000 [0113.891] VirtualProtect (in: lpAddress=0x1a0000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x4) returned 1 [0113.891] GetCurrentProcess () returned 0xffffffff [0113.891] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x1a0000, dwSize=0xa000) returned 1 [0113.891] GetCurrentThreadId () returned 0x540 [0113.896] GetCurrentThreadId () returned 0x540 [0113.896] SetWindowTextA (hWnd=0x2010e, lpString="Saberbill8") returned 1 [0113.896] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0xc, wParam=0x0, lParam=0x18fd6c) returned 0x1 [0113.897] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fd54 | out: phkResult=0x18fd54*=0x0) returned 0x2 [0113.986] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0113.986] VirtualQuery (in: lpAddress=0x18f780, lpBuffer=0x18f764, dwLength=0x1c | out: lpBuffer=0x18f764*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0114.015] IMalloc:Alloc (This=0x76c466bc, cb=0x64) returned 0x29e668 [0114.015] IMalloc:GetSize (This=0x76c466bc, pv=0x29e668) returned 0x64 [0114.021] GetCurrentThreadId () returned 0x540 [0114.021] GetCurrentThreadId () returned 0x540 [0114.021] GetCurrentThreadId () returned 0x540 [0114.323] GetCurrentThreadId () returned 0x540 [0114.323] GetCurrentThreadId () returned 0x540 [0114.323] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xb4 [0114.521] GetVersionExA (in: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x1595d0c, dwMinorVersion=0x18f9cc, dwBuildNumber=0x18fd00, dwPlatformId=0x18ff70, szCSDVersion="Í\x1ePwVÁ\x12") | out: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0114.521] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0114.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x72992cd8, cbMultiByte=-1, lpWideCharStr=0x18faa4, cchWideChar=14 | out: lpWideCharStr="MS Sans Serif") returned 14 [0114.570] OleCreateFontIndirect () returned 0x0 [0114.610] lstrlenA (lpString="Southlander") returned 11 [0114.751] LoadIconA (hInstance=0x72940000, lpIconName=0x4b1) returned 0x50091 [0114.754] OleCreatePictureIndirect () returned 0x0 [0114.809] lstrlenA (lpString="Southlander") returned 11 [0114.809] lstrlenA (lpString="ThunderRT6") returned 10 [0114.809] lstrcpyA (in: lpString1=0x18fab8, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0114.809] lstrlenA (lpString="ThunderRT6Form") returned 14 [0114.809] lstrcpynA (in: lpString1=0x18fac6, lpString2="DC", iMaxLength=116 | out: lpString1="DC") returned="DC" [0114.809] lstrlenA (lpString="ThunderRT6") returned 10 [0114.809] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0114.809] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6Form", lpWndClass=0x18fa78 | out: lpWndClass=0x18fa78) returned 0 [0114.809] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0114.809] RegisterClassA (lpWndClass=0x18fa78) returned 0xd9c06e [0114.809] lstrlenA (lpString="ThunderRT6") returned 10 [0114.809] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0114.809] lstrlenA (lpString="ThunderRT6Form") returned 14 [0114.809] lstrcpynA (in: lpString1=0x18fa5a, lpString2="DC", iMaxLength=29 | out: lpString1="DC") returned="DC" [0114.809] RegisterClassA (lpWndClass=0x18fa78) returned 0xc06d [0114.809] AdjustWindowRectEx (in: lpRect=0x18fb78, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x18fb78) returned 1 [0114.809] CreateWindowExA (dwExStyle=0x0, lpClassName=0xc06d, lpWindowName="Southlander", dwStyle=0x2cf0000, X=265, Y=252, nWidth=151, nHeight=78, hWndParent=0x2010e, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x2001c [0114.810] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x81, wParam=0x0, lParam=0x18f69c) returned 0x1 [0114.810] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x83, wParam=0x0, lParam=0x18f688) returned 0x0 [0114.816] GetSystemMenu (hWnd=0x2001c, bRevert=0) returned 0x40093 [0114.866] SetWindowContextHelpId (param_1=0x2001c, param_2=0xffffffff) returned 1 [0114.866] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x1, wParam=0x0, lParam=0x18f69c) returned 0x0 [0114.866] GetDC (hWnd=0x2001c) returned 0x5c0106aa [0114.866] GetTextMetricsA (in: hdc=0x5c0106aa, lptm=0x18fa64 | out: lptm=0x18fa64) returned 1 [0114.866] SetBkMode (hdc=0x5c0106aa, mode=1) returned 2 [0114.882] OleTranslateColor () returned 0x0 [0114.882] SetBkColor (hdc=0x5c0106aa, color=0xf0f0f0) returned 0xffffff [0114.882] OleTranslateColor () returned 0x0 [0114.882] SetTextColor (hdc=0x5c0106aa, color=0x0) returned 0x0 [0114.882] OleTranslateColor () returned 0x0 [0114.882] CreatePen (iStyle=0, cWidth=1, color=0x0) returned 0x16300269 [0114.882] SelectObject (hdc=0x5c0106aa, h=0x16300269) returned 0x1b00017 [0114.882] SelectObject (hdc=0x5c0106aa, h=0x1900011) returned 0x1900010 [0114.882] ClientToScreen (in: hWnd=0x2001c, lpPoint=0x18fa44 | out: lpPoint=0x18fa44) returned 1 [0114.882] SetBrushOrgEx (in: hdc=0x5c0106aa, x=1, y=2, lppt=0x0 | out: lppt=0x0) returned 1 [0114.882] UnrealizeObject (h=0x1900015) returned 1 [0114.882] SelectObject (hdc=0x5c0106aa, h=0x1900015) returned 0x1900011 [0114.882] SelectObject (hdc=0x5c0106aa, h=0xd0a01c6) returned 0x18a002e [0114.882] GetTextMetricsA (in: hdc=0x5c0106aa, lptm=0x18f858 | out: lptm=0x18f858) returned 1 [0114.888] lstrlenA (lpString="Southlander") returned 11 [0114.888] lstrlenA (lpString="ThunderRT6") returned 10 [0114.888] lstrcpyA (in: lpString1=0x18fa88, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0114.888] lstrlenA (lpString="ThunderRT6") returned 10 [0114.888] lstrcpyA (in: lpString1=0x18fa1c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0114.888] GetClassInfoA (in: hInstance=0x0, lpClassName="Button", lpWndClass=0x18fa48 | out: lpWndClass=0x18fa48) returned 1 [0114.889] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6CommandButton", lpWndClass=0x18fa48 | out: lpWndClass=0x18fa48) returned 0 [0114.889] RegisterClassA (lpWndClass=0x18fa48) returned 0xc070 [0114.889] CreateWindowExA (dwExStyle=0x4, lpClassName=0xc070, lpWindowName="Southlander", dwStyle=0x44012000, X=528, Y=296, nWidth=265, nHeight=145, hWndParent=0x2001c, hMenu=0x1, hInstance=0x72940000, lpParam=0x0) returned 0x20016 [0114.889] CallWindowProcA (lpPrevWndFunc=0x7750abd3, hWnd=0x20016, Msg=0x81, wParam=0x0, lParam=0x18f66c) returned 0x1 [0114.889] CallWindowProcA (lpPrevWndFunc=0x7750abd3, hWnd=0x20016, Msg=0x83, wParam=0x0, lParam=0x18f658) returned 0x0 [0114.889] CallWindowProcA (lpPrevWndFunc=0x7750abd3, hWnd=0x20016, Msg=0x1, wParam=0x0, lParam=0x18f66c) returned 0x0 [0114.889] CallWindowProcA (lpPrevWndFunc=0x7750abd3, hWnd=0x20016, Msg=0x5, wParam=0x0, lParam=0x910109) returned 0x0 [0114.889] CallWindowProcA (lpPrevWndFunc=0x7750abd3, hWnd=0x20016, Msg=0x3, wParam=0x0, lParam=0x1280210) returned 0x0 [0114.889] CallWindowProcA (lpPrevWndFunc=0x7750abd3, hWnd=0x20016, Msg=0x30, wParam=0xd0a01c6, lParam=0x0) returned 0x0 [0114.890] ShowWindow (hWnd=0x20016, nCmdShow=5) returned 0 [0114.890] CallWindowProcA (lpPrevWndFunc=0x7750abd3, hWnd=0x20016, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0114.890] GetClientRect (in: hWnd=0x2001c, lpRect=0x18fbf8 | out: lpRect=0x18fbf8) returned 1 [0114.890] MapWindowPoints (in: hWndFrom=0x2001c, hWndTo=0x0, lpPoints=0x18fbf8, cPoints=0x2 | out: lpPoints=0x18fbf8) returned 18481425 [0114.890] EqualRect (lprc1=0x18fbf8, lprc2=0x18fbd8) returned 1 [0114.890] SetEvent (hEvent=0xb4) returned 1 [0114.890] IsIconic (hWnd=0x2001c) returned 0 [0114.890] SendMessageA (hWnd=0x2001c, Msg=0x80, wParam=0x1, lParam=0x50091) returned 0x0 [0114.890] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x80, wParam=0x1, lParam=0x50091) returned 0x0 [0114.926] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x2009f [0114.938] IsIconic (hWnd=0x2001c) returned 0 [0114.938] IsZoomed (hWnd=0x2001c) returned 0 [0114.938] GetClientRect (in: hWnd=0x2001c, lpRect=0x18fbec | out: lpRect=0x18fbec) returned 1 [0114.938] GetWindow (hWnd=0x2001c, uCmd=0x5) returned 0x20016 [0114.938] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x0 [0114.938] GetParent (hWnd=0x20016) returned 0x2001c [0114.938] SetErrorMode (uMode=0x8001) returned 0x8001 [0114.938] LoadLibraryA (lpLibFileName="ADVAPI32.DLL") returned 0x76260000 [0114.938] SetErrorMode (uMode=0x8001) returned 0x8001 [0114.938] GetProcAddress (hModule=0x76260000, lpProcName="CloseEventLog") returned 0x762677c3 [0114.938] CloseEventLog (hEventLog=0x0) returned 0 [0114.952] GetLastError () returned 0x6 [0114.952] SetErrorMode (uMode=0x8001) returned 0x8001 [0114.952] LoadLibraryA (lpLibFileName="ADVAPI32.DLL") returned 0x76260000 [0114.953] SetErrorMode (uMode=0x8001) returned 0x8001 [0114.953] GetProcAddress (hModule=0x76260000, lpProcName="SetAclInformation") returned 0x762a34e3 [0114.965] SetAclInformation (in: pAcl=0x18fa78, pAclInformation=0x18fa7c, nAclInformationLength=0x0, dwAclInformationClass=0x0 | out: pAcl=0x18fa78) returned 0 [0114.969] GetLastError () returned 0x57 [0114.969] SetErrorMode (uMode=0x8001) returned 0x8001 [0114.970] LoadLibraryA (lpLibFileName="user32") returned 0x76f90000 [0114.970] SetErrorMode (uMode=0x8001) returned 0x8001 [0114.970] GetProcAddress (hModule=0x76f90000, lpProcName="CreateDialogIndirectParamA") returned 0x76fbb029 [0114.970] CreateDialogIndirectParamA (hInstance=0x0, lpTemplate=0x18fa78, hWndParent=0x0, lpDialogFunc=0x0, dwInitParam=0x0) returned 0x0 [0114.974] GetLastError () returned 0x715 [0114.974] GetUserDefaultLCID () returned 0x409 [0114.974] VarBstrFromI2 (iVal=0, lcid=0x409, dwFlags=0x0, pbstrOut=0x18fa3c) returned 0x0 [0115.002] SysStringLen (param_1="0") returned 0x1 [0115.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0115.002] SysStringLen (param_1="0") returned 0x1 [0115.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=2, lpMultiByteStr=0x29dc24, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0115.002] GetUserDefaultLCID () returned 0x409 [0115.002] VarBstrFromI2 (iVal=0, lcid=0x409, dwFlags=0x0, pbstrOut=0x18fa38) returned 0x0 [0115.002] SysStringLen (param_1="0") returned 0x1 [0115.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0115.002] SysStringLen (param_1="0") returned 0x1 [0115.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=2, lpMultiByteStr=0x29dc6c, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0115.002] GetUserDefaultLCID () returned 0x409 [0115.002] VarBstrFromI2 (iVal=0, lcid=0x409, dwFlags=0x0, pbstrOut=0x18fa34) returned 0x0 [0115.002] SysStringLen (param_1="0") returned 0x1 [0115.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0115.002] SysStringLen (param_1="0") returned 0x1 [0115.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=2, lpMultiByteStr=0x29dc9c, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0115.002] SetErrorMode (uMode=0x8001) returned 0x8001 [0115.002] LoadLibraryA (lpLibFileName="winspool.drv") returned 0x74f70000 [0115.011] SetErrorMode (uMode=0x8001) returned 0x8001 [0115.011] GetProcAddress (hModule=0x74f70000, lpProcName="DeletePrintProcessorA") returned 0x74f78aff [0115.011] DeletePrintProcessorA (pName="0", pEnvironment="0", pPrintProcessorName="0") returned 0 [0116.172] GetLastError () returned 0x7b [0116.173] GetCurrentThreadId () returned 0x540 [0116.173] GetCurrentThreadId () returned 0x540 [0116.173] GetCurrentThreadId () returned 0x540 [0116.173] SetWindowTextA (hWnd=0x2010e, lpString="Saberbill8") returned 1 [0116.173] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0xc, wParam=0x0, lParam=0x25a1fe0) returned 0x1 [0116.173] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18f8a8, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr")) returned 0x3a [0116.173] lstrcpynA (in: lpString1=0x18f794, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", iMaxLength=260 | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" [0116.173] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr") returned 58 [0116.173] lstrcpyA (in: lpString1=0x25ab490, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" [0116.174] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x25ab520, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 46 [0116.174] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x25ab520, cbMultiByte=-1, lpWideCharStr=0x2f6e0c, cchWideChar=46 | out: lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 46 [0116.175] SysStringLen (param_1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0116.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", cchWideChar=46, lpMultiByteStr=0x2f74cc, cbMultiByte=91, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", lpUsedDefaultChar=0x0) returned 46 [0116.175] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 45 [0116.175] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0xc, wParam=0x0, lParam=0x2f74cc) returned 0x1 [0116.175] GetWindowLongA (hWnd=0x2001c, nIndex=-16) returned 114229248 [0116.175] GetWindowLongA (hWnd=0x2001c, nIndex=-20) returned 256 [0116.175] GetClientRect (in: hWnd=0x2001c, lpRect=0x18f98c | out: lpRect=0x18f98c) returned 1 [0116.175] MapWindowPoints (in: hWndFrom=0x2001c, hWndTo=0x0, lpPoints=0x18f98c, cPoints=0x2 | out: lpPoints=0x18f98c) returned 18481425 [0116.175] SetWindowLongA (hWnd=0x2001c, nIndex=-16, dwNewLong=114229248) returned 114229248 [0116.175] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x7c, wParam=0xfffffff0, lParam=0x18f918) returned 0x0 [0116.175] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x7d, wParam=0xfffffff0, lParam=0x18f918) returned 0x0 [0116.176] SetWindowLongA (hWnd=0x2001c, nIndex=-20, dwNewLong=256) returned 256 [0116.176] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x7c, wParam=0xffffffec, lParam=0x18f918) returned 0x0 [0116.176] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x7d, wParam=0xffffffec, lParam=0x18f918) returned 0x0 [0116.176] GetClientRect (in: hWnd=0x2001c, lpRect=0x18f954 | out: lpRect=0x18f954) returned 1 [0116.176] MapWindowPoints (in: hWndFrom=0x2001c, hWndTo=0x0, lpPoints=0x18f954, cPoints=0x2 | out: lpPoints=0x18f954) returned 18481425 [0116.176] EqualRect (lprc1=0x18f954, lprc2=0x18f98c) returned 1 [0116.176] GetClientRect (in: hWnd=0x2001c, lpRect=0x18f918 | out: lpRect=0x18f918) returned 1 [0116.176] OleTranslateColor () returned 0x0 [0116.176] OleTranslateColor () returned 0x0 [0116.176] CreateSolidBrush (color=0xff) returned 0x610060d [0116.176] OleTranslateColor () returned 0x0 [0116.176] OleTranslateColor () returned 0x0 [0116.176] SetTextColor (hdc=0x5c0106aa, color=0x0) returned 0x0 [0116.177] SetBkColor (hdc=0x5c0106aa, color=0xff) returned 0xf0f0f0 [0116.177] FillRect (hDC=0x5c0106aa, lprc=0x18f918, hbr=0x610060d) returned 1 [0116.177] SetTextColor (hdc=0x5c0106aa, color=0x0) returned 0x0 [0116.177] SetBkColor (hdc=0x5c0106aa, color=0xf0f0f0) returned 0xff [0116.177] OleTranslateColor () returned 0x0 [0116.177] SetBkColor (hdc=0x5c0106aa, color=0xff) returned 0xf0f0f0 [0116.177] GetCurrentProcessId () returned 0x53c [0116.177] PeekMessageA (in: lpMsg=0x18f97c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18f97c) returned 0 [0116.178] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0116.178] NtdllDefWindowProc_A (hWnd=0x10114, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0116.178] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0116.178] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0116.178] NtdllDefWindowProc_A (hWnd=0x10114, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0116.178] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0116.178] GetTickCount () returned 0x37c2 [0116.178] GetTickCount () returned 0x37c2 [0116.178] GetTickCount () returned 0x37c2 [0116.179] CoFreeUnusedLibraries () [0116.224] GetTickCount () returned 0x37f0 [0116.224] GetTickCount () returned 0x37f0 [0116.224] IsWindowVisible (hWnd=0x2001c) returned 0 [0116.224] Sleep (dwMilliseconds=0x0) [0116.257] SetWindowPos (hWnd=0x2001c, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0116.258] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x46, wParam=0x0, lParam=0x18f57c) returned 0x0 [0116.258] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x46, wParam=0x0, lParam=0x18f57c) returned 0x0 [0116.258] GetParent (hWnd=0x2001c) returned 0x0 [0116.258] GetWindowRect (in: hWnd=0x2001c, lpRect=0x18f1a4 | out: lpRect=0x18f1a4) returned 1 [0116.258] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x47, wParam=0x0, lParam=0x18f57c) returned 0x0 [0116.258] GetWindowLongA (hWnd=0x2001c, nIndex=-16) returned 114229248 [0116.258] GetClientRect (in: hWnd=0x2001c, lpRect=0x18f214 | out: lpRect=0x18f214) returned 1 [0116.258] MapWindowPoints (in: hWndFrom=0x2001c, hWndTo=0x0, lpPoints=0x18f214, cPoints=0x2 | out: lpPoints=0x18f214) returned 18481425 [0116.259] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x83, wParam=0x1, lParam=0x18f160) returned 0x0 [0116.259] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x47, wParam=0x0, lParam=0x18f57c) returned 0x0 [0116.259] GetWindow (hWnd=0x2001c, uCmd=0x0) returned 0x10076 [0116.259] GetWindow (hWnd=0x10076, uCmd=0x2) returned 0x10074 [0116.259] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x10060 [0116.259] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1008c [0116.259] GetWindow (hWnd=0x1008c, uCmd=0x2) returned 0x1007e [0116.259] GetWindow (hWnd=0x1007e, uCmd=0x2) returned 0x1007c [0116.259] GetWindow (hWnd=0x1007c, uCmd=0x2) returned 0x10078 [0116.259] GetWindow (hWnd=0x10078, uCmd=0x2) returned 0x10056 [0116.259] GetWindow (hWnd=0x10056, uCmd=0x2) returned 0x10052 [0116.259] GetWindow (hWnd=0x10052, uCmd=0x2) returned 0x10058 [0116.259] GetWindow (hWnd=0x10058, uCmd=0x2) returned 0x10054 [0116.259] GetWindow (hWnd=0x10054, uCmd=0x2) returned 0x100f8 [0116.259] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x100ec [0116.260] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100dc [0116.260] GetWindow (hWnd=0x100dc, uCmd=0x2) returned 0x100b4 [0116.260] GetWindow (hWnd=0x100b4, uCmd=0x2) returned 0x5009a [0116.260] GetWindow (hWnd=0x5009a, uCmd=0x2) returned 0x1008e [0116.260] GetWindow (hWnd=0x1008e, uCmd=0x2) returned 0x100ac [0116.260] GetWindow (hWnd=0x100ac, uCmd=0x2) returned 0x2001c [0116.260] IsWindowVisible (hWnd=0x2001c) returned 0 [0116.260] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x10112 [0116.260] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x2010e [0116.260] GetWindow (hWnd=0x2010e, uCmd=0x2) returned 0x20024 [0116.260] GetWindow (hWnd=0x20024, uCmd=0x2) returned 0x1011c [0116.260] GetWindow (hWnd=0x1011c, uCmd=0x2) returned 0x2001a [0116.260] GetWindow (hWnd=0x2001a, uCmd=0x2) returned 0x20022 [0116.260] GetWindow (hWnd=0x20022, uCmd=0x2) returned 0x20018 [0116.260] GetWindow (hWnd=0x20018, uCmd=0x2) returned 0x10114 [0116.260] GetWindow (hWnd=0x10114, uCmd=0x2) returned 0x20102 [0116.260] GetWindow (hWnd=0x20102, uCmd=0x2) returned 0x10110 [0116.260] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x1010c [0116.260] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x10106 [0116.260] GetWindow (hWnd=0x10106, uCmd=0x2) returned 0x10100 [0116.260] GetWindow (hWnd=0x10100, uCmd=0x2) returned 0x100e6 [0116.260] GetWindow (hWnd=0x100e6, uCmd=0x2) returned 0x100e2 [0116.260] GetWindow (hWnd=0x100e2, uCmd=0x2) returned 0x100d6 [0116.260] GetWindow (hWnd=0x100d6, uCmd=0x2) returned 0x100cc [0116.260] GetWindow (hWnd=0x100cc, uCmd=0x2) returned 0x100c6 [0116.260] GetWindow (hWnd=0x100c6, uCmd=0x2) returned 0x200c0 [0116.260] GetWindow (hWnd=0x200c0, uCmd=0x2) returned 0x30098 [0116.261] GetWindow (hWnd=0x30098, uCmd=0x2) returned 0x50090 [0116.261] GetWindow (hWnd=0x50090, uCmd=0x2) returned 0x100a6 [0116.261] GetWindow (hWnd=0x100a6, uCmd=0x2) returned 0x100a8 [0116.261] GetWindow (hWnd=0x100a8, uCmd=0x2) returned 0x10086 [0116.261] GetWindow (hWnd=0x10086, uCmd=0x2) returned 0x20084 [0116.261] GetWindow (hWnd=0x20084, uCmd=0x2) returned 0x1007a [0116.261] GetWindow (hWnd=0x1007a, uCmd=0x2) returned 0x10068 [0116.261] GetWindow (hWnd=0x10068, uCmd=0x2) returned 0x10064 [0116.261] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10050 [0116.261] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x10048 [0116.261] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x30044 [0116.261] GetWindow (hWnd=0x30044, uCmd=0x2) returned 0x10082 [0116.261] GetWindow (hWnd=0x10082, uCmd=0x2) returned 0x10046 [0116.261] GetWindow (hWnd=0x10046, uCmd=0x2) returned 0x1010a [0116.261] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x100f0 [0116.261] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x0 [0116.261] GetCurrentProcessId () returned 0x53c [0116.261] PeekMessageA (in: lpMsg=0x18f97c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18f97c) returned 0 [0116.261] GetTickCount () returned 0x381f [0116.261] GetTickCount () returned 0x381f [0116.261] GetTickCount () returned 0x381f [0116.261] GetTickCount () returned 0x381f [0116.261] IsWindowVisible (hWnd=0x2001c) returned 0 [0116.261] Sleep (dwMilliseconds=0x0) [0116.266] IsWindowVisible (hWnd=0x2001c) returned 0 [0116.266] ShowWindow (hWnd=0x2001c, nCmdShow=0) returned 0 [0122.679] SetErrorMode (uMode=0x8001) returned 0x8001 [0122.679] LoadLibraryA (lpLibFileName="user32") returned 0x76f90000 [0122.680] SetErrorMode (uMode=0x8001) returned 0x8001 [0122.680] GetProcAddress (hModule=0x76f90000, lpProcName="CreateWindowExA") returned 0x76fad22e [0122.680] CreateWindowExA (dwExStyle=0x80, lpClassName="STATIC", lpWindowName="çSÌ¥\x92Ë\x1fhÑ\x94Ã7\x1e¯¸X ²B", dwStyle=0x0, X=1488498462, Y=935564497, nWidth=1746914194, nHeight=-1513335833, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x10152 [0122.681] SetErrorMode (uMode=0x8001) returned 0x8001 [0122.681] LoadLibraryA (lpLibFileName="user32") returned 0x76f90000 [0122.681] SetErrorMode (uMode=0x8001) returned 0x8001 [0122.681] GetProcAddress (hModule=0x76f90000, lpProcName="ShowWindow") returned 0x76fb0dfb [0122.681] ShowWindow (hWnd=0x10152, nCmdShow=1) returned 0 [0122.682] NtdllDefWindowProc_A (hWnd=0x2001c, Msg=0x1c, wParam=0x1, lParam=0x174) returned 0x0 [0122.682] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0x1c, wParam=0x1, lParam=0x174) returned 0x0 [0122.682] GetWindowLongA (hWnd=0x10114, nIndex=0) returned 39395484 [0123.327] SetErrorMode (uMode=0x8001) returned 0x8001 [0123.327] LoadLibraryA (lpLibFileName="Msvbvm60.dll") returned 0x72940000 [0123.328] SetErrorMode (uMode=0x8001) returned 0x8001 [0123.328] GetProcAddress (hModule=0x72940000, lpProcName="rtcDoEvents") returned 0x72a0e0f7 [0123.328] GetCurrentProcessId () returned 0x53c [0123.328] PeekMessageA (in: lpMsg=0x18f8a8, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18f8a8) returned 1 [0123.328] IsWindow (hWnd=0x2010e) returned 1 [0123.328] GetWindowLongA (hWnd=0x2010e, nIndex=-16) returned -1811349504 [0123.328] GetParent (hWnd=0x2010e) returned 0x0 [0123.328] TranslateMessage (lpMsg=0x18f8a8) returned 0 [0123.328] DispatchMessageA (lpMsg=0x18f8a8) returned 0x0 [0123.328] NtdllDefWindowProc_A (hWnd=0x2010e, Msg=0xc03e, wParam=0x1, lParam=0x0) returned 0x0 [0123.328] PeekMessageA (in: lpMsg=0x18f824, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x18f824) returned 1 [0123.328] PeekMessageA (in: lpMsg=0x18f8a8, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18f8a8) returned 1 [0123.328] IsWindow (hWnd=0x10114) returned 1 [0123.328] GetWindowLongA (hWnd=0x10114, nIndex=-16) returned -2080374784 [0123.328] GetParent (hWnd=0x10114) returned 0x0 [0123.328] TranslateMessage (lpMsg=0x18f8a8) returned 0 [0123.328] DispatchMessageA (lpMsg=0x18f8a8) returned 0x0 [0123.328] NtdllDefWindowProc_A (hWnd=0x10114, Msg=0xc03e, wParam=0x1, lParam=0x0) returned 0x0 [0123.328] PeekMessageA (in: lpMsg=0x18f824, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x18f824) returned 1 [0123.328] PeekMessageA (in: lpMsg=0x18f8a8, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18f8a8) returned 1 [0123.328] TranslateMessage (lpMsg=0x18f8a8) returned 0 [0123.329] DispatchMessageA (lpMsg=0x18f8a8) returned 0x0 [0123.329] PeekMessageA (in: lpMsg=0x18f824, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x18f824) returned 0 [0123.329] GetTickCount () returned 0x52d0 [0123.329] IsWindowVisible (hWnd=0x2001c) returned 0 [0123.329] Sleep (dwMilliseconds=0x0) [0123.384] SetErrorMode (uMode=0x8001) returned 0x8001 [0123.384] LoadLibraryA (lpLibFileName="user32") returned 0x76f90000 [0123.384] SetErrorMode (uMode=0x8001) returned 0x8001 [0123.384] GetProcAddress (hModule=0x76f90000, lpProcName="EnumWindows") returned 0x76fad1cf [0123.384] EnumWindows (lpEnumFunc=0x42b8e9, lParam=0x18f974) returned 1 [0123.385] SetErrorMode (uMode=0x8001) returned 0x8001 [0123.385] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0123.385] SetErrorMode (uMode=0x8001) returned 0x8001 [0123.386] GetProcAddress (hModule=0x76720000, lpProcName="VirtualAlloc") returned 0x76731856 [0123.386] VirtualAlloc (lpAddress=0x0, dwSize=0x8300, flAllocationType=0x1000, flProtect=0x40) returned 0x3f0000 [0134.980] SetErrorMode (uMode=0x8001) returned 0x8001 [0134.980] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0134.980] SetErrorMode (uMode=0x8001) returned 0x8001 [0134.981] GetProcAddress (hModule=0x76720000, lpProcName="GetTickCount") returned 0x7673110c [0134.981] SetErrorMode (uMode=0x8001) returned 0x8001 [0134.981] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0134.981] SetErrorMode (uMode=0x8001) returned 0x8001 [0134.981] GetProcAddress (hModule=0x76720000, lpProcName="Sleep") returned 0x767310ff [0134.981] GetTickCount () returned 0x7e53 [0134.981] Sleep (dwMilliseconds=0x7d0) [0137.104] GetTickCount () returned 0x862f [0137.104] SetErrorMode (uMode=0x8001) returned 0x8001 [0137.104] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0137.104] SetErrorMode (uMode=0x8001) returned 0x8001 [0137.104] GetProcAddress (hModule=0x76720000, lpProcName="SetErrorMode") returned 0x76731b00 [0137.104] SetErrorMode (uMode=0x800) returned 0x8001 [0137.104] SetErrorMode (uMode=0x0) returned 0x800 [0137.104] SetErrorMode (uMode=0x8001) returned 0x0 [0137.105] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0137.105] SetErrorMode (uMode=0x0) returned 0x8001 [0137.105] GetProcAddress (hModule=0x76720000, lpProcName="SetLastError") returned 0x767311a9 [0137.105] SetLastError (dwErrCode=0x5) [0137.105] SetErrorMode (uMode=0x8001) returned 0x0 [0137.105] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0137.105] SetErrorMode (uMode=0x0) returned 0x8001 [0137.105] GetProcAddress (hModule=0x76720000, lpProcName="VirtualAllocEx") returned 0x7674d9b0 [0137.105] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x4000000, flAllocationType=0x3000, flProtect=0x40) returned 0x3510000 [0137.106] SetErrorMode (uMode=0x8001) returned 0x0 [0137.106] LoadLibraryA (lpLibFileName="user32") returned 0x76f90000 [0137.107] SetErrorMode (uMode=0x0) returned 0x8001 [0137.107] GetProcAddress (hModule=0x76f90000, lpProcName="GetCursorPos") returned 0x76fb1218 [0137.107] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.107] Sleep (dwMilliseconds=0x1) [0137.120] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.120] Sleep (dwMilliseconds=0x1) [0137.135] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.135] Sleep (dwMilliseconds=0x1) [0137.151] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.151] Sleep (dwMilliseconds=0x1) [0137.166] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.166] Sleep (dwMilliseconds=0x1) [0137.182] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.182] Sleep (dwMilliseconds=0x1) [0137.197] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.198] Sleep (dwMilliseconds=0x1) [0137.213] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.213] Sleep (dwMilliseconds=0x1) [0137.229] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.229] Sleep (dwMilliseconds=0x1) [0137.245] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.245] Sleep (dwMilliseconds=0x1) [0137.260] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.260] Sleep (dwMilliseconds=0x1) [0137.275] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.276] Sleep (dwMilliseconds=0x1) [0137.291] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.291] Sleep (dwMilliseconds=0x1) [0137.307] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.307] Sleep (dwMilliseconds=0x1) [0137.322] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.322] Sleep (dwMilliseconds=0x1) [0137.338] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.338] Sleep (dwMilliseconds=0x1) [0137.353] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.354] Sleep (dwMilliseconds=0x1) [0137.370] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.370] Sleep (dwMilliseconds=0x1) [0137.385] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.385] Sleep (dwMilliseconds=0x1) [0137.401] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.401] Sleep (dwMilliseconds=0x1) [0137.416] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.416] Sleep (dwMilliseconds=0x1) [0137.432] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.432] Sleep (dwMilliseconds=0x1) [0137.448] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.448] Sleep (dwMilliseconds=0x1) [0137.463] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.463] Sleep (dwMilliseconds=0x1) [0137.478] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.478] Sleep (dwMilliseconds=0x1) [0137.494] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.494] Sleep (dwMilliseconds=0x1) [0137.509] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.509] Sleep (dwMilliseconds=0x1) [0137.525] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.525] Sleep (dwMilliseconds=0x1) [0137.541] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.541] Sleep (dwMilliseconds=0x1) [0137.556] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.556] Sleep (dwMilliseconds=0x1) [0137.572] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.572] Sleep (dwMilliseconds=0x1) [0137.587] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.588] Sleep (dwMilliseconds=0x1) [0137.603] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.603] Sleep (dwMilliseconds=0x1) [0137.619] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.619] Sleep (dwMilliseconds=0x1) [0137.634] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.634] Sleep (dwMilliseconds=0x1) [0137.650] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.650] Sleep (dwMilliseconds=0x1) [0137.667] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.667] Sleep (dwMilliseconds=0x1) [0137.681] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.681] Sleep (dwMilliseconds=0x1) [0137.697] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.697] Sleep (dwMilliseconds=0x1) [0137.712] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.712] Sleep (dwMilliseconds=0x1) [0137.728] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.728] Sleep (dwMilliseconds=0x1) [0137.744] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.744] Sleep (dwMilliseconds=0x1) [0137.760] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.760] Sleep (dwMilliseconds=0x1) [0137.775] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.775] Sleep (dwMilliseconds=0x1) [0137.791] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.791] Sleep (dwMilliseconds=0x1) [0137.806] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.806] Sleep (dwMilliseconds=0x1) [0137.821] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.822] Sleep (dwMilliseconds=0x1) [0137.837] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.837] Sleep (dwMilliseconds=0x1) [0137.853] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.853] Sleep (dwMilliseconds=0x1) [0137.868] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.869] Sleep (dwMilliseconds=0x1) [0137.884] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.884] Sleep (dwMilliseconds=0x1) [0137.899] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.900] Sleep (dwMilliseconds=0x1) [0137.915] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.915] Sleep (dwMilliseconds=0x1) [0137.931] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.931] Sleep (dwMilliseconds=0x1) [0137.946] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.946] Sleep (dwMilliseconds=0x1) [0137.962] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.962] Sleep (dwMilliseconds=0x1) [0137.978] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.978] Sleep (dwMilliseconds=0x1) [0137.993] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0137.993] Sleep (dwMilliseconds=0x1) [0138.009] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.009] Sleep (dwMilliseconds=0x1) [0138.024] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.024] Sleep (dwMilliseconds=0x1) [0138.041] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.041] Sleep (dwMilliseconds=0x1) [0138.056] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.056] Sleep (dwMilliseconds=0x1) [0138.071] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.071] Sleep (dwMilliseconds=0x1) [0138.087] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.087] Sleep (dwMilliseconds=0x1) [0138.102] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.102] Sleep (dwMilliseconds=0x1) [0138.118] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.118] Sleep (dwMilliseconds=0x1) [0138.134] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.134] Sleep (dwMilliseconds=0x1) [0138.149] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.149] Sleep (dwMilliseconds=0x1) [0138.165] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.165] Sleep (dwMilliseconds=0x1) [0138.180] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.180] Sleep (dwMilliseconds=0x1) [0138.196] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.196] Sleep (dwMilliseconds=0x1) [0138.211] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.212] Sleep (dwMilliseconds=0x1) [0138.227] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.227] Sleep (dwMilliseconds=0x1) [0138.243] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.243] Sleep (dwMilliseconds=0x1) [0138.258] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.258] Sleep (dwMilliseconds=0x1) [0138.274] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.274] Sleep (dwMilliseconds=0x1) [0138.289] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.290] Sleep (dwMilliseconds=0x1) [0138.305] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.305] Sleep (dwMilliseconds=0x1) [0138.326] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.326] Sleep (dwMilliseconds=0x1) [0138.336] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.336] Sleep (dwMilliseconds=0x1) [0138.352] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.352] Sleep (dwMilliseconds=0x1) [0138.368] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.368] Sleep (dwMilliseconds=0x1) [0138.383] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.383] Sleep (dwMilliseconds=0x1) [0138.399] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.399] Sleep (dwMilliseconds=0x1) [0138.416] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.416] Sleep (dwMilliseconds=0x1) [0138.430] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.430] Sleep (dwMilliseconds=0x1) [0138.446] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.446] Sleep (dwMilliseconds=0x1) [0138.461] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.461] Sleep (dwMilliseconds=0x1) [0138.477] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.477] Sleep (dwMilliseconds=0x1) [0138.492] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.492] Sleep (dwMilliseconds=0x1) [0138.508] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.508] Sleep (dwMilliseconds=0x1) [0138.524] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.524] Sleep (dwMilliseconds=0x1) [0138.540] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.540] Sleep (dwMilliseconds=0x1) [0138.555] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.555] Sleep (dwMilliseconds=0x1) [0138.570] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.570] Sleep (dwMilliseconds=0x1) [0138.586] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.586] Sleep (dwMilliseconds=0x1) [0138.601] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.602] Sleep (dwMilliseconds=0x1) [0138.617] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.617] Sleep (dwMilliseconds=0x1) [0138.633] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.633] Sleep (dwMilliseconds=0x1) [0138.648] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.648] Sleep (dwMilliseconds=0x1) [0138.664] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.664] Sleep (dwMilliseconds=0x1) [0138.680] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.680] Sleep (dwMilliseconds=0x1) [0138.695] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.695] Sleep (dwMilliseconds=0x1) [0138.711] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.711] Sleep (dwMilliseconds=0x1) [0138.726] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.726] Sleep (dwMilliseconds=0x1) [0138.744] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.744] Sleep (dwMilliseconds=0x1) [0138.758] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.758] Sleep (dwMilliseconds=0x1) [0138.773] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.773] Sleep (dwMilliseconds=0x1) [0138.789] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.789] Sleep (dwMilliseconds=0x1) [0138.804] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.804] Sleep (dwMilliseconds=0x1) [0138.820] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.820] Sleep (dwMilliseconds=0x1) [0138.835] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.836] Sleep (dwMilliseconds=0x1) [0138.851] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.851] Sleep (dwMilliseconds=0x1) [0138.867] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.867] Sleep (dwMilliseconds=0x1) [0138.882] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.882] Sleep (dwMilliseconds=0x1) [0138.899] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.899] Sleep (dwMilliseconds=0x1) [0138.913] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.914] Sleep (dwMilliseconds=0x1) [0138.929] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.929] Sleep (dwMilliseconds=0x1) [0138.945] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.945] Sleep (dwMilliseconds=0x1) [0138.960] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.961] Sleep (dwMilliseconds=0x1) [0138.976] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.976] Sleep (dwMilliseconds=0x1) [0138.992] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0138.992] Sleep (dwMilliseconds=0x1) [0139.007] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.007] Sleep (dwMilliseconds=0x1) [0139.023] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.023] Sleep (dwMilliseconds=0x1) [0139.038] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.038] Sleep (dwMilliseconds=0x1) [0139.054] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.054] Sleep (dwMilliseconds=0x1) [0139.070] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.070] Sleep (dwMilliseconds=0x1) [0139.085] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.085] Sleep (dwMilliseconds=0x1) [0139.101] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.101] Sleep (dwMilliseconds=0x1) [0139.116] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.116] Sleep (dwMilliseconds=0x1) [0139.134] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.134] Sleep (dwMilliseconds=0x1) [0139.148] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.148] Sleep (dwMilliseconds=0x1) [0139.163] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.163] Sleep (dwMilliseconds=0x1) [0139.179] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.179] Sleep (dwMilliseconds=0x1) [0139.194] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.194] Sleep (dwMilliseconds=0x1) [0139.210] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.210] Sleep (dwMilliseconds=0x1) [0139.227] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.227] Sleep (dwMilliseconds=0x1) [0139.241] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.241] Sleep (dwMilliseconds=0x1) [0139.258] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.258] Sleep (dwMilliseconds=0x1) [0139.272] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.272] Sleep (dwMilliseconds=0x1) [0139.289] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.289] Sleep (dwMilliseconds=0x1) [0139.304] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.304] Sleep (dwMilliseconds=0x1) [0139.319] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.319] Sleep (dwMilliseconds=0x1) [0139.340] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.340] Sleep (dwMilliseconds=0x1) [0139.350] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.350] Sleep (dwMilliseconds=0x1) [0139.366] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.366] Sleep (dwMilliseconds=0x1) [0139.381] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.382] Sleep (dwMilliseconds=0x1) [0139.397] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.397] Sleep (dwMilliseconds=0x1) [0139.413] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.413] Sleep (dwMilliseconds=0x1) [0139.428] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.428] Sleep (dwMilliseconds=0x1) [0139.446] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.446] Sleep (dwMilliseconds=0x1) [0139.460] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.460] Sleep (dwMilliseconds=0x1) [0139.476] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.476] Sleep (dwMilliseconds=0x1) [0139.491] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.491] Sleep (dwMilliseconds=0x1) [0139.507] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.507] Sleep (dwMilliseconds=0x1) [0139.524] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.524] Sleep (dwMilliseconds=0x1) [0139.537] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.538] Sleep (dwMilliseconds=0x1) [0139.553] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.553] Sleep (dwMilliseconds=0x1) [0139.569] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.569] Sleep (dwMilliseconds=0x1) [0139.584] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.585] Sleep (dwMilliseconds=0x1) [0139.600] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.600] Sleep (dwMilliseconds=0x1) [0139.616] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.616] Sleep (dwMilliseconds=0x1) [0139.631] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.631] Sleep (dwMilliseconds=0x1) [0139.647] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.647] Sleep (dwMilliseconds=0x1) [0139.662] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.662] Sleep (dwMilliseconds=0x1) [0139.678] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.678] Sleep (dwMilliseconds=0x1) [0139.693] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.694] Sleep (dwMilliseconds=0x1) [0139.709] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.709] Sleep (dwMilliseconds=0x1) [0139.727] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.727] Sleep (dwMilliseconds=0x1) [0139.740] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.740] Sleep (dwMilliseconds=0x1) [0139.756] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.756] Sleep (dwMilliseconds=0x1) [0139.772] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.772] Sleep (dwMilliseconds=0x1) [0139.787] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.787] Sleep (dwMilliseconds=0x1) [0139.803] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.803] Sleep (dwMilliseconds=0x1) [0139.818] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.818] Sleep (dwMilliseconds=0x1) [0139.834] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.834] Sleep (dwMilliseconds=0x1) [0139.850] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.850] Sleep (dwMilliseconds=0x1) [0139.865] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.865] Sleep (dwMilliseconds=0x1) [0139.881] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.881] Sleep (dwMilliseconds=0x1) [0139.896] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.896] Sleep (dwMilliseconds=0x1) [0139.912] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.912] Sleep (dwMilliseconds=0x1) [0139.928] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.928] Sleep (dwMilliseconds=0x1) [0139.943] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.943] Sleep (dwMilliseconds=0x1) [0139.960] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.960] Sleep (dwMilliseconds=0x1) [0139.974] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.974] Sleep (dwMilliseconds=0x1) [0139.990] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0139.990] Sleep (dwMilliseconds=0x1) [0140.006] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.006] Sleep (dwMilliseconds=0x1) [0140.021] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.021] Sleep (dwMilliseconds=0x1) [0140.037] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.037] Sleep (dwMilliseconds=0x1) [0140.052] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.052] Sleep (dwMilliseconds=0x1) [0140.068] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.068] Sleep (dwMilliseconds=0x1) [0140.083] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.084] Sleep (dwMilliseconds=0x1) [0140.099] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.099] Sleep (dwMilliseconds=0x1) [0140.115] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.115] Sleep (dwMilliseconds=0x1) [0140.130] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.130] Sleep (dwMilliseconds=0x1) [0140.146] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.146] Sleep (dwMilliseconds=0x1) [0140.162] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.162] Sleep (dwMilliseconds=0x1) [0140.177] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.177] Sleep (dwMilliseconds=0x1) [0140.193] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.193] Sleep (dwMilliseconds=0x1) [0140.208] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.208] Sleep (dwMilliseconds=0x1) [0140.224] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.224] Sleep (dwMilliseconds=0x1) [0140.240] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.240] Sleep (dwMilliseconds=0x1) [0140.255] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.255] Sleep (dwMilliseconds=0x1) [0140.271] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.271] Sleep (dwMilliseconds=0x1) [0140.286] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.286] Sleep (dwMilliseconds=0x1) [0140.302] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.302] Sleep (dwMilliseconds=0x1) [0140.317] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.317] Sleep (dwMilliseconds=0x1) [0140.333] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.333] Sleep (dwMilliseconds=0x1) [0140.354] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.354] Sleep (dwMilliseconds=0x1) [0140.364] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.364] Sleep (dwMilliseconds=0x1) [0140.380] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.380] Sleep (dwMilliseconds=0x1) [0140.395] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.396] Sleep (dwMilliseconds=0x1) [0140.411] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.411] Sleep (dwMilliseconds=0x1) [0140.427] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.427] Sleep (dwMilliseconds=0x1) [0140.442] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.442] Sleep (dwMilliseconds=0x1) [0140.458] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.458] Sleep (dwMilliseconds=0x1) [0140.473] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.474] Sleep (dwMilliseconds=0x1) [0140.489] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.489] Sleep (dwMilliseconds=0x1) [0140.505] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.505] Sleep (dwMilliseconds=0x1) [0140.520] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.520] Sleep (dwMilliseconds=0x1) [0140.536] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.536] Sleep (dwMilliseconds=0x1) [0140.552] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.552] Sleep (dwMilliseconds=0x1) [0140.567] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.567] Sleep (dwMilliseconds=0x1) [0140.583] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.583] Sleep (dwMilliseconds=0x1) [0140.598] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.598] Sleep (dwMilliseconds=0x1) [0140.614] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.614] Sleep (dwMilliseconds=0x1) [0140.631] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.631] Sleep (dwMilliseconds=0x1) [0140.645] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.645] Sleep (dwMilliseconds=0x1) [0140.661] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.661] Sleep (dwMilliseconds=0x1) [0140.676] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.676] Sleep (dwMilliseconds=0x1) [0140.692] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.692] Sleep (dwMilliseconds=0x1) [0140.708] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.708] Sleep (dwMilliseconds=0x1) [0140.723] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.723] Sleep (dwMilliseconds=0x1) [0140.739] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.739] Sleep (dwMilliseconds=0x1) [0140.754] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.754] Sleep (dwMilliseconds=0x1) [0140.780] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.780] Sleep (dwMilliseconds=0x1) [0140.785] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.786] Sleep (dwMilliseconds=0x1) [0140.801] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.801] Sleep (dwMilliseconds=0x1) [0140.817] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.817] Sleep (dwMilliseconds=0x1) [0140.832] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.832] Sleep (dwMilliseconds=0x1) [0140.848] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.848] Sleep (dwMilliseconds=0x1) [0140.863] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.864] Sleep (dwMilliseconds=0x1) [0140.879] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.879] Sleep (dwMilliseconds=0x1) [0140.895] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.895] Sleep (dwMilliseconds=0x1) [0140.910] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.910] Sleep (dwMilliseconds=0x1) [0140.926] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.926] Sleep (dwMilliseconds=0x1) [0140.941] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.942] Sleep (dwMilliseconds=0x1) [0140.958] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.958] Sleep (dwMilliseconds=0x1) [0140.973] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.973] Sleep (dwMilliseconds=0x1) [0140.988] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0140.988] Sleep (dwMilliseconds=0x1) [0141.004] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.004] Sleep (dwMilliseconds=0x1) [0141.021] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.022] Sleep (dwMilliseconds=0x1) [0141.035] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.035] Sleep (dwMilliseconds=0x1) [0141.051] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.051] Sleep (dwMilliseconds=0x1) [0141.066] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.066] Sleep (dwMilliseconds=0x1) [0141.082] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.082] Sleep (dwMilliseconds=0x1) [0141.097] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.098] Sleep (dwMilliseconds=0x1) [0141.113] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.113] Sleep (dwMilliseconds=0x1) [0141.129] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.129] Sleep (dwMilliseconds=0x1) [0141.144] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.144] Sleep (dwMilliseconds=0x1) [0141.160] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.160] Sleep (dwMilliseconds=0x1) [0141.175] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.176] Sleep (dwMilliseconds=0x1) [0141.191] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.191] Sleep (dwMilliseconds=0x1) [0141.207] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.207] Sleep (dwMilliseconds=0x1) [0141.222] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.222] Sleep (dwMilliseconds=0x1) [0141.238] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.238] Sleep (dwMilliseconds=0x1) [0141.254] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.254] Sleep (dwMilliseconds=0x1) [0141.269] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.269] Sleep (dwMilliseconds=0x1) [0141.285] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.285] Sleep (dwMilliseconds=0x1) [0141.300] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.300] Sleep (dwMilliseconds=0x1) [0141.316] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.316] Sleep (dwMilliseconds=0x1) [0141.331] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.332] Sleep (dwMilliseconds=0x1) [0141.347] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.347] Sleep (dwMilliseconds=0x1) [0141.368] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.368] Sleep (dwMilliseconds=0x1) [0141.378] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.378] Sleep (dwMilliseconds=0x1) [0141.394] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.394] Sleep (dwMilliseconds=0x1) [0141.409] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.409] Sleep (dwMilliseconds=0x1) [0141.425] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.425] Sleep (dwMilliseconds=0x1) [0141.441] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.441] Sleep (dwMilliseconds=0x1) [0141.456] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.456] Sleep (dwMilliseconds=0x1) [0141.472] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.472] Sleep (dwMilliseconds=0x1) [0141.488] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.488] Sleep (dwMilliseconds=0x1) [0141.503] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.503] Sleep (dwMilliseconds=0x1) [0141.519] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.519] Sleep (dwMilliseconds=0x1) [0141.534] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.534] Sleep (dwMilliseconds=0x1) [0141.550] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.550] Sleep (dwMilliseconds=0x1) [0141.565] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.565] Sleep (dwMilliseconds=0x1) [0141.581] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.581] Sleep (dwMilliseconds=0x1) [0141.597] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.597] Sleep (dwMilliseconds=0x1) [0141.612] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.612] Sleep (dwMilliseconds=0x1) [0141.628] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.628] Sleep (dwMilliseconds=0x1) [0141.643] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.643] Sleep (dwMilliseconds=0x1) [0141.659] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.659] Sleep (dwMilliseconds=0x1) [0141.675] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.675] Sleep (dwMilliseconds=0x1) [0141.690] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.690] Sleep (dwMilliseconds=0x1) [0141.706] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.706] Sleep (dwMilliseconds=0x1) [0141.721] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.722] Sleep (dwMilliseconds=0x1) [0141.737] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.737] Sleep (dwMilliseconds=0x1) [0141.753] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.753] Sleep (dwMilliseconds=0x1) [0141.768] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.768] Sleep (dwMilliseconds=0x1) [0141.784] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.784] Sleep (dwMilliseconds=0x1) [0141.802] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.802] Sleep (dwMilliseconds=0x1) [0141.815] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.815] Sleep (dwMilliseconds=0x1) [0141.831] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.831] Sleep (dwMilliseconds=0x1) [0141.846] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.846] Sleep (dwMilliseconds=0x1) [0141.863] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.863] Sleep (dwMilliseconds=0x1) [0141.877] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.877] Sleep (dwMilliseconds=0x1) [0141.893] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.893] Sleep (dwMilliseconds=0x1) [0141.909] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.909] Sleep (dwMilliseconds=0x1) [0141.924] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.924] Sleep (dwMilliseconds=0x1) [0141.940] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.940] Sleep (dwMilliseconds=0x1) [0141.956] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.956] Sleep (dwMilliseconds=0x1) [0141.972] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.972] Sleep (dwMilliseconds=0x1) [0141.987] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0141.987] Sleep (dwMilliseconds=0x1) [0142.002] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.002] Sleep (dwMilliseconds=0x1) [0142.018] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.018] Sleep (dwMilliseconds=0x1) [0142.034] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.034] Sleep (dwMilliseconds=0x1) [0142.049] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.049] Sleep (dwMilliseconds=0x1) [0142.065] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.065] Sleep (dwMilliseconds=0x1) [0142.080] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.080] Sleep (dwMilliseconds=0x1) [0142.096] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.096] Sleep (dwMilliseconds=0x1) [0142.112] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.112] Sleep (dwMilliseconds=0x1) [0142.127] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.127] Sleep (dwMilliseconds=0x1) [0142.143] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.143] Sleep (dwMilliseconds=0x1) [0142.158] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.158] Sleep (dwMilliseconds=0x1) [0142.174] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.174] Sleep (dwMilliseconds=0x1) [0142.190] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.190] Sleep (dwMilliseconds=0x1) [0142.205] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.205] Sleep (dwMilliseconds=0x1) [0142.221] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.221] Sleep (dwMilliseconds=0x1) [0142.238] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.238] Sleep (dwMilliseconds=0x1) [0142.252] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.252] Sleep (dwMilliseconds=0x1) [0142.268] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.268] Sleep (dwMilliseconds=0x1) [0142.283] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.283] Sleep (dwMilliseconds=0x1) [0142.299] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.299] Sleep (dwMilliseconds=0x1) [0142.314] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.314] Sleep (dwMilliseconds=0x1) [0142.330] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.330] Sleep (dwMilliseconds=0x1) [0142.346] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.346] Sleep (dwMilliseconds=0x1) [0142.361] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.361] Sleep (dwMilliseconds=0x1) [0142.377] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.377] Sleep (dwMilliseconds=0x1) [0142.392] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.392] Sleep (dwMilliseconds=0x1) [0142.408] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.408] Sleep (dwMilliseconds=0x1) [0142.424] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.424] Sleep (dwMilliseconds=0x1) [0142.440] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.440] Sleep (dwMilliseconds=0x1) [0142.455] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.455] Sleep (dwMilliseconds=0x1) [0142.470] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.470] Sleep (dwMilliseconds=0x1) [0142.486] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.486] Sleep (dwMilliseconds=0x1) [0142.501] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.502] Sleep (dwMilliseconds=0x1) [0142.517] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.517] Sleep (dwMilliseconds=0x1) [0142.533] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.533] Sleep (dwMilliseconds=0x1) [0142.548] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.549] Sleep (dwMilliseconds=0x1) [0142.564] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.564] Sleep (dwMilliseconds=0x1) [0142.580] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.580] Sleep (dwMilliseconds=0x1) [0142.595] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.595] Sleep (dwMilliseconds=0x1) [0142.611] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.611] Sleep (dwMilliseconds=0x1) [0142.626] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.626] Sleep (dwMilliseconds=0x1) [0142.642] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.642] Sleep (dwMilliseconds=0x1) [0142.657] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.658] Sleep (dwMilliseconds=0x1) [0142.673] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.673] Sleep (dwMilliseconds=0x1) [0142.689] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.689] Sleep (dwMilliseconds=0x1) [0142.704] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.704] Sleep (dwMilliseconds=0x1) [0142.720] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.720] Sleep (dwMilliseconds=0x1) [0142.736] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.736] Sleep (dwMilliseconds=0x1) [0142.751] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.751] Sleep (dwMilliseconds=0x1) [0142.767] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.767] Sleep (dwMilliseconds=0x1) [0142.782] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.782] Sleep (dwMilliseconds=0x1) [0142.798] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.798] Sleep (dwMilliseconds=0x1) [0142.813] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.814] Sleep (dwMilliseconds=0x1) [0142.829] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.829] Sleep (dwMilliseconds=0x1) [0142.845] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.845] Sleep (dwMilliseconds=0x1) [0142.860] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.860] Sleep (dwMilliseconds=0x1) [0142.876] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.876] Sleep (dwMilliseconds=0x1) [0142.892] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.892] Sleep (dwMilliseconds=0x1) [0142.909] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.909] Sleep (dwMilliseconds=0x1) [0142.923] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.923] Sleep (dwMilliseconds=0x1) [0142.938] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.938] Sleep (dwMilliseconds=0x1) [0142.954] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.954] Sleep (dwMilliseconds=0x1) [0142.969] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.970] Sleep (dwMilliseconds=0x1) [0142.985] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0142.985] Sleep (dwMilliseconds=0x1) [0143.002] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.002] Sleep (dwMilliseconds=0x1) [0143.016] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.016] Sleep (dwMilliseconds=0x1) [0143.032] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.032] Sleep (dwMilliseconds=0x1) [0143.048] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.048] Sleep (dwMilliseconds=0x1) [0143.063] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.063] Sleep (dwMilliseconds=0x1) [0143.079] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.079] Sleep (dwMilliseconds=0x1) [0143.094] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.094] Sleep (dwMilliseconds=0x1) [0143.110] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.110] Sleep (dwMilliseconds=0x1) [0143.126] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.126] Sleep (dwMilliseconds=0x1) [0143.141] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.141] Sleep (dwMilliseconds=0x1) [0143.157] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.157] Sleep (dwMilliseconds=0x1) [0143.172] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.172] Sleep (dwMilliseconds=0x1) [0143.188] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.188] Sleep (dwMilliseconds=0x1) [0143.203] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.204] Sleep (dwMilliseconds=0x1) [0143.219] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.219] Sleep (dwMilliseconds=0x1) [0143.235] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.235] Sleep (dwMilliseconds=0x1) [0143.250] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.250] Sleep (dwMilliseconds=0x1) [0143.266] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.266] Sleep (dwMilliseconds=0x1) [0143.282] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.282] Sleep (dwMilliseconds=0x1) [0143.299] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.299] Sleep (dwMilliseconds=0x1) [0143.313] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.313] Sleep (dwMilliseconds=0x1) [0143.328] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.329] Sleep (dwMilliseconds=0x1) [0143.344] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.344] Sleep (dwMilliseconds=0x1) [0143.360] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.360] Sleep (dwMilliseconds=0x1) [0143.375] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.375] Sleep (dwMilliseconds=0x1) [0143.397] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.397] Sleep (dwMilliseconds=0x1) [0143.406] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.406] Sleep (dwMilliseconds=0x1) [0143.422] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.422] Sleep (dwMilliseconds=0x1) [0143.438] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.438] Sleep (dwMilliseconds=0x1) [0143.453] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.453] Sleep (dwMilliseconds=0x1) [0143.469] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.469] Sleep (dwMilliseconds=0x1) [0143.484] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.484] Sleep (dwMilliseconds=0x1) [0143.500] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.500] Sleep (dwMilliseconds=0x1) [0143.515] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.516] Sleep (dwMilliseconds=0x1) [0143.531] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.531] Sleep (dwMilliseconds=0x1) [0143.547] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.547] Sleep (dwMilliseconds=0x1) [0143.562] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.562] Sleep (dwMilliseconds=0x1) [0143.578] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.578] Sleep (dwMilliseconds=0x1) [0143.593] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.594] Sleep (dwMilliseconds=0x1) [0143.609] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.609] Sleep (dwMilliseconds=0x1) [0143.625] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.625] Sleep (dwMilliseconds=0x1) [0143.640] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.640] Sleep (dwMilliseconds=0x1) [0143.656] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.656] Sleep (dwMilliseconds=0x1) [0143.672] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.672] Sleep (dwMilliseconds=0x1) [0143.687] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.687] Sleep (dwMilliseconds=0x1) [0143.703] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.703] Sleep (dwMilliseconds=0x1) [0143.718] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.719] Sleep (dwMilliseconds=0x1) [0143.734] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.734] Sleep (dwMilliseconds=0x1) [0143.750] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.750] Sleep (dwMilliseconds=0x1) [0143.765] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.765] Sleep (dwMilliseconds=0x1) [0143.781] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.781] Sleep (dwMilliseconds=0x1) [0143.796] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.796] Sleep (dwMilliseconds=0x1) [0143.812] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.812] Sleep (dwMilliseconds=0x1) [0143.828] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.828] Sleep (dwMilliseconds=0x1) [0143.843] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.843] Sleep (dwMilliseconds=0x1) [0143.859] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.859] Sleep (dwMilliseconds=0x1) [0143.874] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.874] Sleep (dwMilliseconds=0x1) [0143.890] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.890] Sleep (dwMilliseconds=0x1) [0143.906] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.906] Sleep (dwMilliseconds=0x1) [0143.921] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.921] Sleep (dwMilliseconds=0x1) [0143.937] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.937] Sleep (dwMilliseconds=0x1) [0143.952] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.952] Sleep (dwMilliseconds=0x1) [0143.968] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.968] Sleep (dwMilliseconds=0x1) [0143.984] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.984] Sleep (dwMilliseconds=0x1) [0143.999] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0143.999] Sleep (dwMilliseconds=0x1) [0144.016] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.016] Sleep (dwMilliseconds=0x1) [0144.030] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.031] Sleep (dwMilliseconds=0x1) [0144.046] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.046] Sleep (dwMilliseconds=0x1) [0144.061] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.062] Sleep (dwMilliseconds=0x1) [0144.077] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.077] Sleep (dwMilliseconds=0x1) [0144.093] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.093] Sleep (dwMilliseconds=0x1) [0144.108] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.109] Sleep (dwMilliseconds=0x1) [0144.124] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.124] Sleep (dwMilliseconds=0x1) [0144.140] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.140] Sleep (dwMilliseconds=0x1) [0144.155] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.155] Sleep (dwMilliseconds=0x1) [0144.171] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.171] Sleep (dwMilliseconds=0x1) [0144.186] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.186] Sleep (dwMilliseconds=0x1) [0144.202] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.202] Sleep (dwMilliseconds=0x1) [0144.218] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.218] Sleep (dwMilliseconds=0x1) [0144.233] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.233] Sleep (dwMilliseconds=0x1) [0144.249] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.249] Sleep (dwMilliseconds=0x1) [0144.264] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.264] Sleep (dwMilliseconds=0x1) [0144.280] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.280] Sleep (dwMilliseconds=0x1) [0144.296] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.296] Sleep (dwMilliseconds=0x1) [0144.311] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.311] Sleep (dwMilliseconds=0x1) [0144.327] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.327] Sleep (dwMilliseconds=0x1) [0144.342] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.342] Sleep (dwMilliseconds=0x1) [0144.358] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.358] Sleep (dwMilliseconds=0x1) [0144.374] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.374] Sleep (dwMilliseconds=0x1) [0144.389] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.389] Sleep (dwMilliseconds=0x1) [0144.413] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.413] Sleep (dwMilliseconds=0x1) [0144.420] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.420] Sleep (dwMilliseconds=0x1) [0144.436] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.436] Sleep (dwMilliseconds=0x1) [0144.452] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.452] Sleep (dwMilliseconds=0x1) [0144.467] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.467] Sleep (dwMilliseconds=0x1) [0144.483] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.483] Sleep (dwMilliseconds=0x1) [0144.498] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.498] Sleep (dwMilliseconds=0x1) [0144.514] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.514] Sleep (dwMilliseconds=0x1) [0144.530] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.530] Sleep (dwMilliseconds=0x1) [0144.545] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.545] Sleep (dwMilliseconds=0x1) [0144.561] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.561] Sleep (dwMilliseconds=0x1) [0144.576] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.576] Sleep (dwMilliseconds=0x1) [0144.592] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.592] Sleep (dwMilliseconds=0x1) [0144.608] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.608] Sleep (dwMilliseconds=0x1) [0144.623] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.623] Sleep (dwMilliseconds=0x1) [0144.639] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.639] Sleep (dwMilliseconds=0x1) [0144.654] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.654] Sleep (dwMilliseconds=0x1) [0144.670] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.670] Sleep (dwMilliseconds=0x1) [0144.685] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.686] Sleep (dwMilliseconds=0x1) [0144.701] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.701] Sleep (dwMilliseconds=0x1) [0144.717] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.717] Sleep (dwMilliseconds=0x1) [0144.732] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.732] Sleep (dwMilliseconds=0x1) [0144.748] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.748] Sleep (dwMilliseconds=0x1) [0144.763] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.764] Sleep (dwMilliseconds=0x1) [0144.779] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.779] Sleep (dwMilliseconds=0x1) [0144.796] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.796] Sleep (dwMilliseconds=0x1) [0144.810] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.810] Sleep (dwMilliseconds=0x1) [0144.826] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.826] Sleep (dwMilliseconds=0x1) [0144.842] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.842] Sleep (dwMilliseconds=0x1) [0144.857] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.857] Sleep (dwMilliseconds=0x1) [0144.873] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.873] Sleep (dwMilliseconds=0x1) [0144.888] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.888] Sleep (dwMilliseconds=0x1) [0144.904] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.904] Sleep (dwMilliseconds=0x1) [0144.920] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.920] Sleep (dwMilliseconds=0x1) [0144.935] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.935] Sleep (dwMilliseconds=0x1) [0144.951] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.951] Sleep (dwMilliseconds=0x1) [0144.966] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.966] Sleep (dwMilliseconds=0x1) [0144.982] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.982] Sleep (dwMilliseconds=0x1) [0144.997] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0144.998] Sleep (dwMilliseconds=0x1) [0145.013] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.013] Sleep (dwMilliseconds=0x1) [0145.029] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.029] Sleep (dwMilliseconds=0x1) [0145.044] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.044] Sleep (dwMilliseconds=0x1) [0145.060] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.060] Sleep (dwMilliseconds=0x1) [0145.076] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.076] Sleep (dwMilliseconds=0x1) [0145.091] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.091] Sleep (dwMilliseconds=0x1) [0145.107] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.107] Sleep (dwMilliseconds=0x1) [0145.122] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.122] Sleep (dwMilliseconds=0x1) [0145.138] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.138] Sleep (dwMilliseconds=0x1) [0145.154] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.154] Sleep (dwMilliseconds=0x1) [0145.169] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.169] Sleep (dwMilliseconds=0x1) [0145.187] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.187] Sleep (dwMilliseconds=0x1) [0145.200] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.200] Sleep (dwMilliseconds=0x1) [0145.216] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.216] Sleep (dwMilliseconds=0x1) [0145.232] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.232] Sleep (dwMilliseconds=0x1) [0145.247] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.247] Sleep (dwMilliseconds=0x1) [0145.263] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.263] Sleep (dwMilliseconds=0x1) [0145.278] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.278] Sleep (dwMilliseconds=0x1) [0145.294] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.294] Sleep (dwMilliseconds=0x1) [0145.310] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.310] Sleep (dwMilliseconds=0x1) [0145.325] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.325] Sleep (dwMilliseconds=0x1) [0145.341] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.341] Sleep (dwMilliseconds=0x1) [0145.356] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.356] Sleep (dwMilliseconds=0x1) [0145.372] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.372] Sleep (dwMilliseconds=0x1) [0145.388] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.388] Sleep (dwMilliseconds=0x1) [0145.403] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.403] Sleep (dwMilliseconds=0x1) [0145.427] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.427] Sleep (dwMilliseconds=0x1) [0145.435] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.435] Sleep (dwMilliseconds=0x1) [0145.450] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.450] Sleep (dwMilliseconds=0x1) [0145.466] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.466] Sleep (dwMilliseconds=0x1) [0145.481] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.481] Sleep (dwMilliseconds=0x1) [0145.497] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.497] Sleep (dwMilliseconds=0x1) [0145.512] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.512] Sleep (dwMilliseconds=0x1) [0145.528] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.528] Sleep (dwMilliseconds=0x1) [0145.544] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.544] Sleep (dwMilliseconds=0x1) [0145.559] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.559] Sleep (dwMilliseconds=0x1) [0145.575] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.575] Sleep (dwMilliseconds=0x1) [0145.590] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.590] Sleep (dwMilliseconds=0x1) [0145.606] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.606] Sleep (dwMilliseconds=0x1) [0145.622] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.622] Sleep (dwMilliseconds=0x1) [0145.637] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.637] Sleep (dwMilliseconds=0x1) [0145.653] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.653] Sleep (dwMilliseconds=0x1) [0145.669] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.669] Sleep (dwMilliseconds=0x1) [0145.684] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.684] Sleep (dwMilliseconds=0x1) [0145.700] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.700] Sleep (dwMilliseconds=0x1) [0145.715] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.715] Sleep (dwMilliseconds=0x1) [0145.731] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.731] Sleep (dwMilliseconds=0x1) [0145.746] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.746] Sleep (dwMilliseconds=0x1) [0145.762] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.762] Sleep (dwMilliseconds=0x1) [0145.777] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.778] Sleep (dwMilliseconds=0x1) [0145.793] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.793] Sleep (dwMilliseconds=0x1) [0145.809] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.809] Sleep (dwMilliseconds=0x1) [0145.825] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.825] Sleep (dwMilliseconds=0x1) [0145.840] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.840] Sleep (dwMilliseconds=0x1) [0145.856] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.856] Sleep (dwMilliseconds=0x1) [0145.871] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.871] Sleep (dwMilliseconds=0x1) [0145.887] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.887] Sleep (dwMilliseconds=0x1) [0145.904] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.904] Sleep (dwMilliseconds=0x1) [0145.918] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.918] Sleep (dwMilliseconds=0x1) [0145.934] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.934] Sleep (dwMilliseconds=0x1) [0145.949] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.949] Sleep (dwMilliseconds=0x1) [0145.965] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.965] Sleep (dwMilliseconds=0x1) [0145.980] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.980] Sleep (dwMilliseconds=0x1) [0145.996] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0145.996] Sleep (dwMilliseconds=0x1) [0146.012] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.012] Sleep (dwMilliseconds=0x1) [0146.027] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.027] Sleep (dwMilliseconds=0x1) [0146.043] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.043] Sleep (dwMilliseconds=0x1) [0146.058] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.058] Sleep (dwMilliseconds=0x1) [0146.074] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.074] Sleep (dwMilliseconds=0x1) [0146.090] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.090] Sleep (dwMilliseconds=0x1) [0146.105] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.105] Sleep (dwMilliseconds=0x1) [0146.121] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.121] Sleep (dwMilliseconds=0x1) [0146.136] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.136] Sleep (dwMilliseconds=0x1) [0146.152] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.152] Sleep (dwMilliseconds=0x1) [0146.168] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.168] Sleep (dwMilliseconds=0x1) [0146.183] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.183] Sleep (dwMilliseconds=0x1) [0146.199] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.199] Sleep (dwMilliseconds=0x1) [0146.214] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.214] Sleep (dwMilliseconds=0x1) [0146.230] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.230] Sleep (dwMilliseconds=0x1) [0146.245] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.246] Sleep (dwMilliseconds=0x1) [0146.261] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.261] Sleep (dwMilliseconds=0x1) [0146.277] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.277] Sleep (dwMilliseconds=0x1) [0146.294] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.294] Sleep (dwMilliseconds=0x1) [0146.308] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.308] Sleep (dwMilliseconds=0x1) [0146.323] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.324] Sleep (dwMilliseconds=0x1) [0146.339] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.339] Sleep (dwMilliseconds=0x1) [0146.355] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.355] Sleep (dwMilliseconds=0x1) [0146.370] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.370] Sleep (dwMilliseconds=0x1) [0146.386] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.386] Sleep (dwMilliseconds=0x1) [0146.401] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.401] Sleep (dwMilliseconds=0x1) [0146.417] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=1070, y=121)) returned 1 [0146.417] Sleep (dwMilliseconds=0x1) [0146.441] GetCursorPos (in: lpPoint=0x18f774 | out: lpPoint=0x18f774*(x=15, y=821)) returned 1 [0146.441] SetErrorMode (uMode=0x8001) returned 0x0 [0146.441] LoadLibraryA (lpLibFileName="advapi32") returned 0x76260000 [0146.443] SetErrorMode (uMode=0x0) returned 0x8001 [0146.443] GetProcAddress (hModule=0x76260000, lpProcName="RegOpenKeyExA") returned 0x76274907 [0146.443] SetErrorMode (uMode=0x8001) returned 0x0 [0146.443] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0146.444] SetErrorMode (uMode=0x0) returned 0x8001 [0146.444] GetProcAddress (hModule=0x76720000, lpProcName="CloseHandle") returned 0x76731410 [0146.444] SetErrorMode (uMode=0x8001) returned 0x0 [0146.444] LoadLibraryA (lpLibFileName="shell32") returned 0x75080000 [0147.261] SetErrorMode (uMode=0x0) returned 0x8001 [0147.261] GetProcAddress (hModule=0x75080000, lpProcName="ShellExecuteW") returned 0x75093c71 [0147.261] SetErrorMode (uMode=0x8001) returned 0x0 [0147.261] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.262] SetErrorMode (uMode=0x0) returned 0x8001 [0147.262] GetProcAddress (hModule=0x76720000, lpProcName="WriteFile") returned 0x76731282 [0147.262] SetErrorMode (uMode=0x8001) returned 0x0 [0147.262] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.262] SetErrorMode (uMode=0x0) returned 0x8001 [0147.262] GetProcAddress (hModule=0x76720000, lpProcName="CreateFileW") returned 0x76733f5c [0147.262] SetErrorMode (uMode=0x8001) returned 0x0 [0147.262] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.262] SetErrorMode (uMode=0x0) returned 0x8001 [0147.262] GetProcAddress (hModule=0x76720000, lpProcName="TerminateProcess") returned 0x7674d802 [0147.262] SetErrorMode (uMode=0x8001) returned 0x0 [0147.262] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.262] SetErrorMode (uMode=0x0) returned 0x8001 [0147.262] GetProcAddress (hModule=0x76720000, lpProcName="VirtualProtectEx") returned 0x767b45bf [0147.262] SetErrorMode (uMode=0x8001) returned 0x0 [0147.262] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.262] SetErrorMode (uMode=0x0) returned 0x8001 [0147.263] GetProcAddress (hModule=0x76720000, lpProcName="CreateProcessW") returned 0x7673103d [0147.263] SetErrorMode (uMode=0x8001) returned 0x0 [0147.263] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.263] SetErrorMode (uMode=0x0) returned 0x8001 [0147.263] GetProcAddress (hModule=0x76720000, lpProcName="GetTempPathW") returned 0x7674d4dc [0147.263] SetErrorMode (uMode=0x8001) returned 0x0 [0147.263] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.263] SetErrorMode (uMode=0x0) returned 0x8001 [0147.263] GetProcAddress (hModule=0x76720000, lpProcName="GetLongPathNameW") returned 0x7673a315 [0147.263] SetErrorMode (uMode=0x8001) returned 0x0 [0147.263] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.263] SetErrorMode (uMode=0x0) returned 0x8001 [0147.263] GetProcAddress (hModule=0x76720000, lpProcName="GetFileSize") returned 0x7673196e [0147.263] SetErrorMode (uMode=0x8001) returned 0x0 [0147.263] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.264] SetErrorMode (uMode=0x0) returned 0x8001 [0147.264] GetProcAddress (hModule=0x76720000, lpProcName="ReadFile") returned 0x76733ed3 [0147.264] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x1ea, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0147.270] SetErrorMode (uMode=0x8001) returned 0x0 [0147.270] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.270] SetErrorMode (uMode=0x0) returned 0x8001 [0147.270] GetProcAddress (hModule=0x76720000, lpProcName="GetCommandLineW") returned 0x76735223 [0147.270] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /S" [0147.270] CreateProcessW (in: lpApplicationName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", lpCommandLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /S", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x3510048*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x351008c | out: lpCommandLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /S", lpProcessInformation=0x351008c*(hProcess=0x160, hThread=0x15c, dwProcessId=0x338, dwThreadId=0x614)) returned 1 [0147.345] SetErrorMode (uMode=0x8001) returned 0x0 [0147.345] LoadLibraryA (lpLibFileName="ntdll") returned 0x77490000 [0147.345] SetErrorMode (uMode=0x0) returned 0x8001 [0147.345] GetProcAddress (hModule=0x77490000, lpProcName="NtAllocateVirtualMemory") returned 0x774afab0 [0147.345] SetErrorMode (uMode=0x8001) returned 0x0 [0147.346] LoadLibraryA (lpLibFileName="ntdll") returned 0x77490000 [0147.346] SetErrorMode (uMode=0x0) returned 0x8001 [0147.346] GetProcAddress (hModule=0x77490000, lpProcName="NtWriteVirtualMemory") returned 0x774afe04 [0147.346] SetErrorMode (uMode=0x8001) returned 0x0 [0147.346] LoadLibraryA (lpLibFileName="ntdll") returned 0x77490000 [0147.346] SetErrorMode (uMode=0x0) returned 0x8001 [0147.346] GetProcAddress (hModule=0x77490000, lpProcName="NtTerminateThread") returned 0x774b0074 [0147.346] SetErrorMode (uMode=0x8001) returned 0x0 [0147.346] LoadLibraryA (lpLibFileName="ntdll") returned 0x77490000 [0147.346] SetErrorMode (uMode=0x0) returned 0x8001 [0147.346] GetProcAddress (hModule=0x77490000, lpProcName="NtOpenEvent") returned 0x774afe98 [0147.346] SetErrorMode (uMode=0x8001) returned 0x0 [0147.346] LoadLibraryA (lpLibFileName="ntdll") returned 0x77490000 [0147.346] SetErrorMode (uMode=0x0) returned 0x8001 [0147.346] GetProcAddress (hModule=0x77490000, lpProcName="NtUnmapViewOfSection") returned 0x774afc70 [0147.346] NtUnmapViewOfSection (ProcessHandle=0x160, BaseAddress=0x400000) returned 0x0 [0147.347] NtAllocateVirtualMemory (in: ProcessHandle=0x160, BaseAddress=0x3510004*=0x400000, ZeroBits=0x0, RegionSize=0x3516118*=0x24000, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x3510004*=0x400000, RegionSize=0x3516118*=0x24000) returned 0x0 [0147.355] NtWriteVirtualMemory (in: ProcessHandle=0x160, BaseAddress=0x400000, Buffer=0x3516000*, NumberOfBytesToWrite=0x200, NumberOfBytesWritten=0x0 | out: Buffer=0x3516000*, NumberOfBytesWritten=0x0) returned 0x0 [0147.355] NtWriteVirtualMemory (in: ProcessHandle=0x160, BaseAddress=0x400000, Buffer=0x3516000*, NumberOfBytesToWrite=0x1, NumberOfBytesWritten=0x0 | out: Buffer=0x3516000*, NumberOfBytesWritten=0x0) returned 0x0 [0147.355] NtWriteVirtualMemory (in: ProcessHandle=0x160, BaseAddress=0x401000, Buffer=0x3517000*, NumberOfBytesToWrite=0x22a00, NumberOfBytesWritten=0x0 | out: Buffer=0x3517000*, NumberOfBytesWritten=0x0) returned 0x0 [0147.356] SetErrorMode (uMode=0x8001) returned 0x0 [0147.356] LoadLibraryA (lpLibFileName="ntdll") returned 0x77490000 [0147.356] SetErrorMode (uMode=0x0) returned 0x8001 [0147.357] GetProcAddress (hModule=0x77490000, lpProcName="NtGetContextThread") returned 0x774b0c20 [0147.357] NtGetContextThread (in: ThreadHandle=0x15c, Context=0x351009c | out: Context=0x351009c*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x4012a4, Ebp=0x0, Eip=0x774a01c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x40, [6]=0x2, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0147.357] NtWriteVirtualMemory (in: ProcessHandle=0x160, BaseAddress=0x7efde008, Buffer=0x3510004*, NumberOfBytesToWrite=0x4, NumberOfBytesWritten=0x0 | out: Buffer=0x3510004*, NumberOfBytesWritten=0x0) returned 0x0 [0147.357] SetErrorMode (uMode=0x8001) returned 0x0 [0147.357] LoadLibraryA (lpLibFileName="ntdll") returned 0x77490000 [0147.357] SetErrorMode (uMode=0x0) returned 0x8001 [0147.357] GetProcAddress (hModule=0x77490000, lpProcName="NtSetContextThread") returned 0x774b1910 [0147.357] NtSetContextThread (ThreadHandle=0x15c, Context=0x351009c*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x418c20, Ebp=0x0, Eip=0x774a01c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x40, [6]=0x2, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0147.357] SetErrorMode (uMode=0x8001) returned 0x0 [0147.357] LoadLibraryA (lpLibFileName="ntdll") returned 0x77490000 [0147.358] SetErrorMode (uMode=0x0) returned 0x8001 [0147.358] GetProcAddress (hModule=0x77490000, lpProcName="NtResumeThread") returned 0x774b0058 [0147.358] NtResumeThread (in: ThreadHandle=0x15c, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0147.358] SetErrorMode (uMode=0x8001) returned 0x0 [0147.358] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000 [0147.358] SetErrorMode (uMode=0x0) returned 0x8001 [0147.358] GetProcAddress (hModule=0x76720000, lpProcName="GetExitCodeProcess") returned 0x7674174d [0147.358] GetExitCodeProcess (in: hProcess=0x160, lpExitCode=0x35107fc | out: lpExitCode=0x35107fc*=0x103) returned 1 [0147.358] TerminateProcess (hProcess=0xffffffff, uExitCode=0x0) Thread: id = 52 os_tid = 0x658 Thread: id = 53 os_tid = 0x124 [0145.934] GetCurrentThreadId () returned 0x124 Thread: id = 54 os_tid = 0x340 [0145.935] GetCurrentThreadId () returned 0x340 Process: id = "10" image_name = "igfxonux.scr" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr" page_root = "0x6e22a000" os_pid = "0x338" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x53c" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr\" /S" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e25d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1242 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1243 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1244 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1245 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1246 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1247 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1248 start_va = 0x400000 end_va = 0x423fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1249 start_va = 0x772b0000 end_va = 0x77458fff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1250 start_va = 0x77490000 end_va = 0x7760ffff entry_point = 0x77490000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1251 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1252 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1253 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1254 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1255 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1256 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1257 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1258 start_va = 0x380000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 1259 start_va = 0x73a00000 end_va = 0x73a07fff entry_point = 0x73a020f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1260 start_va = 0x73a10000 end_va = 0x73a6bfff entry_point = 0x73a4f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1261 start_va = 0x73a70000 end_va = 0x73aaefff entry_point = 0x73a9de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1262 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1263 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1264 start_va = 0x610000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1265 start_va = 0x76720000 end_va = 0x7682ffff entry_point = 0x767332d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1266 start_va = 0x76e10000 end_va = 0x76e55fff entry_point = 0x76e17478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1267 start_va = 0x77090000 end_va = 0x771aefff entry_point = 0x0 region_type = private name = "private_0x0000000077090000" filename = "" Region: id = 1268 start_va = 0x771b0000 end_va = 0x772a9fff entry_point = 0x0 region_type = private name = "private_0x00000000771b0000" filename = "" Region: id = 1269 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1270 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1271 start_va = 0x430000 end_va = 0x5b0fff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1272 start_va = 0x710000 end_va = 0xa12fff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1273 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1274 start_va = 0x76260000 end_va = 0x762fffff entry_point = 0x762749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1275 start_va = 0x76ca0000 end_va = 0x76d4bfff entry_point = 0x76caa472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1276 start_va = 0x76e70000 end_va = 0x76e88fff entry_point = 0x76e74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1277 start_va = 0x768f0000 end_va = 0x769dffff entry_point = 0x76900569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1278 start_va = 0x74ff0000 end_va = 0x7504ffff entry_point = 0x7500a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1279 start_va = 0x74fe0000 end_va = 0x74febfff entry_point = 0x74fe10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1280 start_va = 0x210000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1281 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1282 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1283 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1284 start_va = 0x430000 end_va = 0x453fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 1285 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1286 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1287 start_va = 0x460000 end_va = 0x4e8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 1677 start_va = 0x30000 end_va = 0x3dfff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1678 start_va = 0x350000 end_va = 0x35dfff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1679 start_va = 0x76f90000 end_va = 0x7708ffff entry_point = 0x76fab6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1680 start_va = 0x76300000 end_va = 0x7638ffff entry_point = 0x76316343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1681 start_va = 0x76d50000 end_va = 0x76d59fff entry_point = 0x76d536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1682 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76da3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1683 start_va = 0x4f0000 end_va = 0x50dfff entry_point = 0x50158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1684 start_va = 0xa20000 end_va = 0xba7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 1685 start_va = 0x4f0000 end_va = 0x50dfff entry_point = 0x50158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1686 start_va = 0x764d0000 end_va = 0x7652ffff entry_point = 0x764e158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1687 start_va = 0x76160000 end_va = 0x7622bfff entry_point = 0x7616168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1688 start_va = 0x370000 end_va = 0x370fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1689 start_va = 0x4f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 1690 start_va = 0xbb0000 end_va = 0xd30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 1691 start_va = 0xd40000 end_va = 0x213ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 1724 start_va = 0x500000 end_va = 0x523fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 1726 start_va = 0x530000 end_va = 0x547fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Thread: id = 55 os_tid = 0x614 [0147.390] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x18f36c | out: HeapArray=0x18f36c*=0x610000) returned 0x1 [0147.396] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x18f320, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.397] NtCreateFile (in: FileHandle=0x18f34c, DesiredAccess=0x120089, ObjectAttributes=0x18f308*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f328, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f34c*=0x20, IoStatusBlock=0x18f328*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0147.416] NtQueryInformationFile (in: FileHandle=0x20, IoStatusBlock=0x18f328, FileInformation=0x18f280, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x18f328, FileInformation=0x18f280) returned 0x0 [0147.430] NtReadFile (in: FileHandle=0x20, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x18f328, Buffer=0x210020, BufferLength=0x13b740, ByteOffset=0x18f298*=0, Key=0x0 | out: IoStatusBlock=0x18f328, Buffer=0x210020*) returned 0x0 [0147.442] NtClose (Handle=0x20) returned 0x0 [0147.469] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x18f2c0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0147.469] NtCreateFile (in: FileHandle=0x18f2ec, DesiredAccess=0x120089, ObjectAttributes=0x18f2a8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f2c8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f2ec*=0x20, IoStatusBlock=0x18f2c8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0147.469] NtQueryInformationFile (in: FileHandle=0x20, IoStatusBlock=0x18f2c8, FileInformation=0x18f03c, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x18f2c8, FileInformation=0x18f03c) returned 0x0 [0147.469] NtClose (Handle=0x20) returned 0x0 [0147.472] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x73a01320, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x18f2f8, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x18f2f8*(BaseAddress=0x73a01000, AllocationBase=0x73a00000, AllocationProtect=0x80, RegionSize=0x3000, State=0x1000, Protect=0x20, Type=0x1000000), ResultLength=0x0) returned 0x0 [0147.679] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x18f350, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x18f350, ResultLength=0x0) returned 0x0 [0147.682] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x18f374, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x18f374, ReturnLength=0x0) returned 0x0 [0147.693] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18f004*=0x0, ZeroBits=0x0, RegionSize=0x18f008*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x18f004*=0x20000, RegionSize=0x18f008*=0x10000) returned 0x0 [0147.696] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0x0 [0147.703] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x18f364*=0x20000, RegionSize=0x18f368, FreeType=0x8000) returned 0x0 [0147.711] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x18f120 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0147.712] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="advapi32.dll", BaseAddress=0x18f190 | out: BaseAddress=0x18f190*=0x76260000) returned 0x0 [0147.725] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x18f37c | out: TokenHandle=0x18f37c*=0x3c) returned 0x0 [0147.728] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x18f370 | out: lpLuid=0x18f370*(LowPart=0x14, HighPart=0)) returned 1 [0147.732] NtAdjustPrivilegesToken (in: TokenHandle=0x3c, DisableAllPrivileges=0, NewState=0x18f36c, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x106 [0147.733] NtClose (Handle=0x3c) returned 0x0 [0147.733] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x18e948 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0147.742] RtlSetEnvironmentVariable (in: Environment=0x0, Name="L53886-W", Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" | out: Environment=0x0) returned 0x0 [0147.744] NtCreateSection (in: SectionHandle=0x18ee48, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x18ebe8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18ee48*=0x3c) returned 0x0 [0147.746] NtMapViewOfSection (in: SectionHandle=0x3c, ProcessHandle=0xffffffff, BaseAddress=0x18ee4c*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18ebe8*=0x23a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18ee4c*=0x430000, SectionOffset=0x0, ViewSize=0x18ebe8*=0x24000) returned 0x0 [0147.749] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18e550*=0x0, ZeroBits=0x0, RegionSize=0x18e554*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x18e550*=0x20000, RegionSize=0x18e554*=0x10000) returned 0x0 [0147.749] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0x0 [0147.752] NtOpenProcess (in: ProcessHandle=0x18eba4, DesiredAccess=0x438, ObjectAttributes=0x18ebc4*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x18eb98*(UniqueProcess=0x34c, UniqueThread=0x0) | out: ProcessHandle=0x18eba4*=0x84) returned 0x0 [0147.752] NtQueryInformationProcess (in: ProcessHandle=0x84, ProcessInformationClass=0x1a, ProcessInformation=0x18e8b0, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x18e8b0, ReturnLength=0x0) returned 0x0 [0147.752] NtCreateSection (in: SectionHandle=0x18e54c, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x18e50c, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18e54c*=0x88) returned 0x0 [0147.752] NtMapViewOfSection (in: SectionHandle=0x88, ProcessHandle=0xffffffff, BaseAddress=0x18e554*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18e50c*=0x88840, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18e554*=0x460000, SectionOffset=0x0, ViewSize=0x18e50c*=0x89000) returned 0x0 [0147.752] NtMapViewOfSection (in: SectionHandle=0x88, ProcessHandle=0x84, BaseAddress=0x18e550*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18e548*=0x88840, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18e550*=0x7d50000, SectionOffset=0x0, ViewSize=0x18e548*=0x89000) returned 0x0 [0149.884] NtClose (Handle=0x88) returned 0x0 [0149.884] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18d718 | out: TokenHandle=0x18d718*=0x88) returned 0x0 [0149.887] NtQueryInformationToken (in: TokenHandle=0x88, TokenInformationClass=0x1, TokenInformation=0x18cf10, TokenInformationLength=0x400, ReturnLength=0x18d710 | out: TokenInformation=0x18cf10, ReturnLength=0x18d710) returned 0x0 [0149.888] ConvertSidToStringSidW () returned 0x1 [0149.888] NtClose (Handle=0x88) returned 0x0 [0149.888] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18d988*=0x0, ZeroBits=0x0, RegionSize=0x18d98c*=0xdcba, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x18d988*=0x30000, RegionSize=0x18d98c*=0xe000) returned 0x0 [0149.888] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18d974*=0x0, ZeroBits=0x0, RegionSize=0x18d978*=0xdcba, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x18d974*=0x350000, RegionSize=0x18d978*=0xe000) returned 0x0 [0149.892] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18d98c*=0x418d32, NumberOfBytesToProtect=0x18d990, NewAccessProtection=0x40, OldAccessProtection=0x18e4dc | out: BaseAddress=0x18d98c*=0x418000, NumberOfBytesToProtect=0x18d990, OldAccessProtection=0x18e4dc*=0x40) returned 0x0 [0149.898] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x18e28c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0149.900] NtCreateFile (in: FileHandle=0x18e2b8, DesiredAccess=0x120089, ObjectAttributes=0x18e274*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18e294, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18e2b8*=0x88, IoStatusBlock=0x18e294*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0149.903] NtQueryInformationFile (in: FileHandle=0x88, IoStatusBlock=0x18e294, FileInformation=0x18e008, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x18e294, FileInformation=0x18e008) returned 0x0 [0149.903] NtClose (Handle=0x88) returned 0x0 [0149.912] NtOpenProcess (in: ProcessHandle=0x18e4a8, DesiredAccess=0x438, ObjectAttributes=0x18da68*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x18daa8*(UniqueProcess=0x34c, UniqueThread=0x0) | out: ProcessHandle=0x18e4a8*=0x88) returned 0x0 [0149.915] NtQueryInformationProcess (in: ProcessHandle=0x88, ProcessInformationClass=0x0, ProcessInformation=0x18dab8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x18dab8, ReturnLength=0x0) returned 0x0 [0149.918] NtReadVirtualMemory (in: ProcessHandle=0x88, BaseAddress=0x7fffffd4000, Buffer=0x18df20, NumberOfBytesToRead=0x40, NumberOfBytesRead=0x0 | out: Buffer=0x18df20*, NumberOfBytesRead=0x0) returned 0x0 [0149.921] NtOpenThread (in: ThreadHandle=0x18da60, DesiredAccess=0x1a, ObjectAttributes=0x18da68, ClientId=0x18da98*(UniqueProcess=0x0, UniqueThread=0x358) | out: ThreadHandle=0x18da60*=0x8c) returned 0x0 [0149.924] NtSuspendThread (in: ThreadHandle=0x8c, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0149.929] NtGetContextThread (in: ThreadHandle=0x8c, Context=0x18dfa0 | out: Context=0x18dfa0*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x40, [65]=0xc1, [66]=0x91, [67]=0xfe, [68]=0xfe, [69]=0x7, [70]=0x0, [71]=0x0, [72]=0x20, [73]=0xbb, [74]=0x91, [75]=0xfe, [76]=0xfe, [77]=0x7, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0xfe91c140, SegGs=0x7fe, SegFs=0x2b9e000, SegEs=0x0, SegDs=0x20f528, Edi=0x0, Esi=0x100f0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0xfe91c010, SegCs=0x7fe, EFlags=0x20f108, Esp=0x0, SegSs=0x4d6d614f, ExtendedRegisters=([0]=0x95, [1]=0x2, [2]=0x61, [3]=0x40, [4]=0xa0, [5]=0x72, [6]=0x9c, [7]=0x4, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x4, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x3a, [45]=0x93, [46]=0x1c, [47]=0x77, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0149.933] NtSetContextThread (ThreadHandle=0x8c, Context=0x18dfa0*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x40, [65]=0xc1, [66]=0x91, [67]=0xfe, [68]=0xfe, [69]=0x7, [70]=0x0, [71]=0x0, [72]=0x20, [73]=0xbb, [74]=0x91, [75]=0xfe, [76]=0xfe, [77]=0x7, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0xfe91c140, SegGs=0x7fe, SegFs=0x2b9e000, SegEs=0x0, SegDs=0x20f528, Edi=0x0, Esi=0x100f0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0xfe91c010, SegCs=0x7fe, EFlags=0x20f108, Esp=0x0, SegSs=0x4d6d614f, ExtendedRegisters=([0]=0x95, [1]=0x2, [2]=0x61, [3]=0x40, [4]=0xa0, [5]=0x72, [6]=0x9c, [7]=0x4, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x4, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x89, [45]=0x6e, [46]=0xd6, [47]=0x7, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0149.933] NtQueueApcThread (ThreadHandle=0x8c, ApcRoutine=0x7d66ead, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0149.936] NtResumeThread (in: ThreadHandle=0x8c, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0149.936] NtClose (Handle=0x88) returned 0x0 [0149.937] NtClose (Handle=0x8c) returned 0x0 [0149.937] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="user32.dll", BaseAddress=0x18e194 | out: BaseAddress=0x18e194*=0x76f90000) returned 0x0 [0149.953] PostThreadMessageW (idThread=0x358, Msg=0x111, wParam=0x0, lParam=0x0) returned 1 [0149.961] NtDelayExecution (Alertable=0, Interval=0x18e20c*=-30000000) returned 0x0 [0152.972] NtReadVirtualMemory (in: ProcessHandle=0x84, BaseAddress=0x7d99000, Buffer=0x18e230, NumberOfBytesToRead=0x2a8, NumberOfBytesRead=0x0 | out: Buffer=0x18e230*, NumberOfBytesRead=0x0) returned 0x0 [0152.972] NtClose (Handle=0x84) returned 0x0 [0152.972] NtOpenProcess (in: ProcessHandle=0x18f304, DesiredAccess=0x438, ObjectAttributes=0x18ebc4*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x18eb98*(UniqueProcess=0x634, UniqueThread=0x0) | out: ProcessHandle=0x18f304*=0x84) returned 0x0 [0152.975] NtOpenThread (in: ThreadHandle=0x18f308, DesiredAccess=0x1a, ObjectAttributes=0x18ebc4, ClientId=0x18eb90*(UniqueProcess=0x0, UniqueThread=0x668) | out: ThreadHandle=0x18f308*=0x9c) returned 0x0 [0152.975] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\cmstp.exe", NtPathName=0x18e1d4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\cmstp.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0152.975] NtCreateFile (in: FileHandle=0x18e200, DesiredAccess=0x120089, ObjectAttributes=0x18e1bc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\cmstp.exe" (normalized: "c:\\windows\\syswow64\\cmstp.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18e1dc, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18e200*=0xa0, IoStatusBlock=0x18e1dc*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0152.975] NtQueryInformationFile (in: FileHandle=0xa0, IoStatusBlock=0x18e1dc, FileInformation=0x18e134, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x18e1dc, FileInformation=0x18e134) returned 0x0 [0152.979] NtReadFile (in: FileHandle=0xa0, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x18e1dc, Buffer=0x624e70, BufferLength=0x14c00, ByteOffset=0x18e14c*=0, Key=0x0 | out: IoStatusBlock=0x18e1dc, Buffer=0x624e70*) returned 0x0 [0153.050] NtClose (Handle=0xa0) returned 0x0 [0153.051] NtQueryInformationProcess (in: ProcessHandle=0x84, ProcessInformationClass=0x0, ProcessInformation=0x18e534, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x18e534, ReturnLength=0x0) returned 0x0 [0153.051] NtReadVirtualMemory (in: ProcessHandle=0x84, BaseAddress=0x7efde008, Buffer=0x18f0f8, NumberOfBytesToRead=0x4, NumberOfBytesRead=0x0 | out: Buffer=0x18f0f8*, NumberOfBytesRead=0x0) returned 0x0 [0153.051] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x18ebdc*=0x20000, RegionSize=0x18ebe0, FreeType=0x8000) returned 0x0 [0153.051] NtReadVirtualMemory (in: ProcessHandle=0x84, BaseAddress=0x630000, Buffer=0x639e78, NumberOfBytesToRead=0x18000, NumberOfBytesRead=0x0 | out: Buffer=0x639e78*, NumberOfBytesRead=0x0) returned 0x0 [0153.054] NtCreateSection (in: SectionHandle=0x18f394, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x18ebe8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18f394*=0xa0) returned 0x0 [0153.054] NtMapViewOfSection (in: SectionHandle=0xa0, ProcessHandle=0xffffffff, BaseAddress=0x18f390*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18ebe8*=0x23a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18f390*=0x500000, SectionOffset=0x0, ViewSize=0x18ebe8*=0x24000) returned 0x0 [0153.054] NtMapViewOfSection (in: SectionHandle=0xa0, ProcessHandle=0x84, BaseAddress=0x18ee50*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18f07c*=0x23a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18ee50*=0x70000, SectionOffset=0x0, ViewSize=0x18f07c*=0x24000) returned 0x0 [0153.054] NtCreateSection (in: SectionHandle=0x18f0f0, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x18ebf8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18f0f0*=0xa4) returned 0x0 [0153.054] NtMapViewOfSection (in: SectionHandle=0xa4, ProcessHandle=0xffffffff, BaseAddress=0x18f0f4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18ebf8*=0x18000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18f0f4*=0x530000, SectionOffset=0x0, ViewSize=0x18ebf8*=0x18000) returned 0x0 [0153.058] NtUnmapViewOfSection (ProcessHandle=0x84, BaseAddress=0x630000) returned 0x0 [0153.059] NtMapViewOfSection (in: SectionHandle=0xa4, ProcessHandle=0x84, BaseAddress=0x18f0f8*=0x630000, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18f324*=0x18000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x18f0f8*=0x630000, SectionOffset=0x0, ViewSize=0x18f324*=0x18000) returned 0x0 [0153.064] NtResumeThread (in: ThreadHandle=0x9c, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0153.066] ExitProcess (uExitCode=0x0) Thread: id = 56 os_tid = 0x610 Process: id = "11" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x84b1000" os_pid = "0x34c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "injection" parent_id = "10" os_parent_pid = "0x338" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e25d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1288 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1289 start_va = 0x20000 end_va = 0x21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1290 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1291 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1292 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1293 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1294 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1295 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1296 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1297 start_va = 0x100000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1298 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1299 start_va = 0x150000 end_va = 0x151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1300 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 1301 start_va = 0x170000 end_va = 0x171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1302 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1303 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1304 start_va = 0x210000 end_va = 0x227fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1305 start_va = 0x230000 end_va = 0x24bfff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1306 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1307 start_va = 0x260000 end_va = 0x262fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 1308 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1309 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1310 start_va = 0x470000 end_va = 0x474fff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1311 start_va = 0x480000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1312 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 1313 start_va = 0x4f0000 end_va = 0x677fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 1314 start_va = 0x680000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1315 start_va = 0x810000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 1316 start_va = 0x1c10000 end_va = 0x2002fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 1317 start_va = 0x2010000 end_va = 0x20eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002010000" filename = "" Region: id = 1318 start_va = 0x20f0000 end_va = 0x215bfff entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 1319 start_va = 0x2160000 end_va = 0x218ffff entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 1320 start_va = 0x2190000 end_va = 0x219ffff entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 1321 start_va = 0x21a0000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 1322 start_va = 0x21b0000 end_va = 0x222ffff entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 1323 start_va = 0x2230000 end_va = 0x2230fff entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 1324 start_va = 0x2240000 end_va = 0x22bffff entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 1325 start_va = 0x22c0000 end_va = 0x258efff entry_point = 0x22c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1326 start_va = 0x2590000 end_va = 0x2591fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002590000" filename = "" Region: id = 1327 start_va = 0x25a0000 end_va = 0x25a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025a0000" filename = "" Region: id = 1328 start_va = 0x25b0000 end_va = 0x25b2fff entry_point = 0x25b0000 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui") Region: id = 1329 start_va = 0x25c0000 end_va = 0x25c0fff entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 1330 start_va = 0x25d0000 end_va = 0x25ebfff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1331 start_va = 0x25f0000 end_va = 0x25f0fff entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 1332 start_va = 0x2600000 end_va = 0x2608fff entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 1333 start_va = 0x2610000 end_va = 0x2617fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 1334 start_va = 0x2620000 end_va = 0x263afff entry_point = 0x2620000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000011.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db") Region: id = 1335 start_va = 0x2640000 end_va = 0x2640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002640000" filename = "" Region: id = 1336 start_va = 0x2650000 end_va = 0x2653fff entry_point = 0x2650000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1337 start_va = 0x2660000 end_va = 0x268ffff entry_point = 0x2660000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db") Region: id = 1338 start_va = 0x2690000 end_va = 0x269ffff entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 1339 start_va = 0x26a0000 end_va = 0x26affff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 1340 start_va = 0x26b0000 end_va = 0x26bffff entry_point = 0x0 region_type = private name = "private_0x00000000026b0000" filename = "" Region: id = 1341 start_va = 0x26c0000 end_va = 0x26cffff entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 1342 start_va = 0x26d0000 end_va = 0x26dffff entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 1343 start_va = 0x26e0000 end_va = 0x26effff entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 1344 start_va = 0x26f0000 end_va = 0x26fffff entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 1345 start_va = 0x2700000 end_va = 0x270ffff entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1346 start_va = 0x2710000 end_va = 0x271ffff entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 1347 start_va = 0x2720000 end_va = 0x272ffff entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 1348 start_va = 0x2730000 end_va = 0x2731fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002730000" filename = "" Region: id = 1349 start_va = 0x2740000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 1350 start_va = 0x2750000 end_va = 0x2750fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1351 start_va = 0x2760000 end_va = 0x276ffff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 1352 start_va = 0x2770000 end_va = 0x286ffff entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 1353 start_va = 0x2870000 end_va = 0x296ffff entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 1354 start_va = 0x2970000 end_va = 0x2973fff entry_point = 0x2970000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1355 start_va = 0x2980000 end_va = 0x2981fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 1356 start_va = 0x2990000 end_va = 0x2991fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002990000" filename = "" Region: id = 1357 start_va = 0x29a0000 end_va = 0x29a3fff entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 1358 start_va = 0x29b0000 end_va = 0x29b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029b0000" filename = "" Region: id = 1359 start_va = 0x29c0000 end_va = 0x29c0fff entry_point = 0x29c0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 1360 start_va = 0x29d0000 end_va = 0x29d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029d0000" filename = "" Region: id = 1361 start_va = 0x29e0000 end_va = 0x29e6fff entry_point = 0x29e0000 region_type = mapped_file name = "bthprops.cpl.mui" filename = "\\Windows\\System32\\en-US\\bthprops.cpl.mui" (normalized: "c:\\windows\\system32\\en-us\\bthprops.cpl.mui") Region: id = 1362 start_va = 0x29f0000 end_va = 0x29f3fff entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 1363 start_va = 0x2a00000 end_va = 0x2a00fff entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 1364 start_va = 0x2a10000 end_va = 0x2a10fff entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 1365 start_va = 0x2a20000 end_va = 0x2a20fff entry_point = 0x0 region_type = private name = "private_0x0000000002a20000" filename = "" Region: id = 1366 start_va = 0x2a30000 end_va = 0x2b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 1367 start_va = 0x2b30000 end_va = 0x2c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 1368 start_va = 0x2c30000 end_va = 0x2e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c30000" filename = "" Region: id = 1369 start_va = 0x2e30000 end_va = 0x3172fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e30000" filename = "" Region: id = 1370 start_va = 0x3180000 end_va = 0x3183fff entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 1371 start_va = 0x3190000 end_va = 0x3190fff entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 1372 start_va = 0x31a0000 end_va = 0x31a0fff entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 1373 start_va = 0x31b0000 end_va = 0x31b0fff entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 1374 start_va = 0x31c0000 end_va = 0x31c0fff entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 1375 start_va = 0x31d0000 end_va = 0x31d0fff entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 1376 start_va = 0x31e0000 end_va = 0x325ffff entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 1377 start_va = 0x3260000 end_va = 0x32c5fff entry_point = 0x3260000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1378 start_va = 0x32d0000 end_va = 0x32d0fff entry_point = 0x0 region_type = private name = "private_0x00000000032d0000" filename = "" Region: id = 1379 start_va = 0x32e0000 end_va = 0x335ffff entry_point = 0x0 region_type = private name = "private_0x00000000032e0000" filename = "" Region: id = 1380 start_va = 0x3360000 end_va = 0x3360fff entry_point = 0x0 region_type = private name = "private_0x0000000003360000" filename = "" Region: id = 1381 start_va = 0x3370000 end_va = 0x3370fff entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 1382 start_va = 0x3380000 end_va = 0x3380fff entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 1383 start_va = 0x3390000 end_va = 0x340ffff entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 1384 start_va = 0x3410000 end_va = 0x348ffff entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 1385 start_va = 0x3490000 end_va = 0x3490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003490000" filename = "" Region: id = 1386 start_va = 0x34a0000 end_va = 0x34a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034a0000" filename = "" Region: id = 1387 start_va = 0x34b0000 end_va = 0x34b3fff entry_point = 0x34b0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1388 start_va = 0x34c0000 end_va = 0x34c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034c0000" filename = "" Region: id = 1389 start_va = 0x34d0000 end_va = 0x34d0fff entry_point = 0x34d0000 region_type = mapped_file name = "{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db") Region: id = 1390 start_va = 0x34e0000 end_va = 0x34e3fff entry_point = 0x34e0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1391 start_va = 0x34f0000 end_va = 0x34f0fff entry_point = 0x0 region_type = private name = "private_0x00000000034f0000" filename = "" Region: id = 1392 start_va = 0x3500000 end_va = 0x3500fff entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 1393 start_va = 0x3510000 end_va = 0x3510fff entry_point = 0x0 region_type = private name = "private_0x0000000003510000" filename = "" Region: id = 1394 start_va = 0x3520000 end_va = 0x359ffff entry_point = 0x0 region_type = private name = "private_0x0000000003520000" filename = "" Region: id = 1395 start_va = 0x35a0000 end_va = 0x361ffff entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 1396 start_va = 0x3630000 end_va = 0x36affff entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 1397 start_va = 0x36e0000 end_va = 0x3727fff entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 1398 start_va = 0x3750000 end_va = 0x3750fff entry_point = 0x0 region_type = private name = "private_0x0000000003750000" filename = "" Region: id = 1399 start_va = 0x3770000 end_va = 0x3770fff entry_point = 0x3770000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 1400 start_va = 0x3780000 end_va = 0x3780fff entry_point = 0x3780000 region_type = mapped_file name = "{3978ea0a-1c7e-4449-8ae1-e1265f039002}.2.ver0x0000000000000003.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{3978EA0A-1C7E-4449-8AE1-E1265F039002}.2.ver0x0000000000000003.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{3978ea0a-1c7e-4449-8ae1-e1265f039002}.2.ver0x0000000000000003.db") Region: id = 1401 start_va = 0x3790000 end_va = 0x380ffff entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 1402 start_va = 0x3810000 end_va = 0x413ffff entry_point = 0x3810000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 1403 start_va = 0x4140000 end_va = 0x4143fff entry_point = 0x4140000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1404 start_va = 0x4150000 end_va = 0x4150fff entry_point = 0x4150000 region_type = mapped_file name = "{4e36ea69-73d1-4458-9d16-50f8e31a69a0}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{4E36EA69-73D1-4458-9D16-50F8E31A69A0}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{4e36ea69-73d1-4458-9d16-50f8e31a69a0}.2.ver0x0000000000000001.db") Region: id = 1405 start_va = 0x4160000 end_va = 0x41affff entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 1406 start_va = 0x4200000 end_va = 0x4200fff entry_point = 0x4200000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 1407 start_va = 0x4210000 end_va = 0x428ffff entry_point = 0x0 region_type = private name = "private_0x0000000004210000" filename = "" Region: id = 1408 start_va = 0x4290000 end_va = 0x4290fff entry_point = 0x4290000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 1409 start_va = 0x42a0000 end_va = 0x42a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000042a0000" filename = "" Region: id = 1410 start_va = 0x42b0000 end_va = 0x42b0fff entry_point = 0x42b0000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 1411 start_va = 0x42c0000 end_va = 0x42c0fff entry_point = 0x42c0000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 1412 start_va = 0x42d0000 end_va = 0x434ffff entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 1413 start_va = 0x4350000 end_va = 0x4350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004350000" filename = "" Region: id = 1414 start_va = 0x4360000 end_va = 0x4360fff entry_point = 0x4360000 region_type = mapped_file name = "wdmaud.drv.mui" filename = "\\Windows\\System32\\en-US\\wdmaud.drv.mui" (normalized: "c:\\windows\\system32\\en-us\\wdmaud.drv.mui") Region: id = 1415 start_va = 0x4370000 end_va = 0x4370fff entry_point = 0x4370000 region_type = mapped_file name = "mmdevapi.dll.mui" filename = "\\Windows\\System32\\en-US\\MMDevAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mmdevapi.dll.mui") Region: id = 1416 start_va = 0x4380000 end_va = 0x4381fff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 1417 start_va = 0x4390000 end_va = 0x440ffff entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 1418 start_va = 0x4410000 end_va = 0x4442fff entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 1419 start_va = 0x4450000 end_va = 0x4451fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004450000" filename = "" Region: id = 1420 start_va = 0x4460000 end_va = 0x4460fff entry_point = 0x4460000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 1421 start_va = 0x4470000 end_va = 0x44effff entry_point = 0x0 region_type = private name = "private_0x0000000004470000" filename = "" Region: id = 1422 start_va = 0x44f0000 end_va = 0x44f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000044f0000" filename = "" Region: id = 1423 start_va = 0x4500000 end_va = 0x4501fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004500000" filename = "" Region: id = 1424 start_va = 0x4510000 end_va = 0x4511fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004510000" filename = "" Region: id = 1425 start_va = 0x4520000 end_va = 0x4521fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004520000" filename = "" Region: id = 1426 start_va = 0x4530000 end_va = 0x4531fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004530000" filename = "" Region: id = 1427 start_va = 0x4540000 end_va = 0x4543fff entry_point = 0x4540000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1428 start_va = 0x4550000 end_va = 0x45cffff entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 1429 start_va = 0x45d0000 end_va = 0x45d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045d0000" filename = "" Region: id = 1430 start_va = 0x45e0000 end_va = 0x45e0fff entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 1431 start_va = 0x45f0000 end_va = 0x45f0fff entry_point = 0x45f0000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 1432 start_va = 0x4600000 end_va = 0x4600fff entry_point = 0x4600000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 1433 start_va = 0x4610000 end_va = 0x4610fff entry_point = 0x4610000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 1434 start_va = 0x4620000 end_va = 0x4621fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004620000" filename = "" Region: id = 1435 start_va = 0x4630000 end_va = 0x46affff entry_point = 0x0 region_type = private name = "private_0x0000000004630000" filename = "" Region: id = 1436 start_va = 0x46b0000 end_va = 0x46b0fff entry_point = 0x0 region_type = private name = "private_0x00000000046b0000" filename = "" Region: id = 1437 start_va = 0x46c0000 end_va = 0x46c0fff entry_point = 0x46c0000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\System32\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctf.dll.mui") Region: id = 1438 start_va = 0x46d0000 end_va = 0x474ffff entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 1439 start_va = 0x4750000 end_va = 0x4751fff entry_point = 0x4750000 region_type = mapped_file name = "msutb.dll.mui" filename = "\\Windows\\System32\\en-US\\msutb.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msutb.dll.mui") Region: id = 1440 start_va = 0x4760000 end_va = 0x4760fff entry_point = 0x0 region_type = private name = "private_0x0000000004760000" filename = "" Region: id = 1441 start_va = 0x4770000 end_va = 0x477ffff entry_point = 0x0 region_type = private name = "private_0x0000000004770000" filename = "" Region: id = 1442 start_va = 0x4780000 end_va = 0x4780fff entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 1443 start_va = 0x4790000 end_va = 0x4791fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004790000" filename = "" Region: id = 1444 start_va = 0x47a0000 end_va = 0x47a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047a0000" filename = "" Region: id = 1445 start_va = 0x47b0000 end_va = 0x482ffff entry_point = 0x0 region_type = private name = "private_0x00000000047b0000" filename = "" Region: id = 1446 start_va = 0x4830000 end_va = 0x4a2ffff entry_point = 0x0 region_type = private name = "private_0x0000000004830000" filename = "" Region: id = 1447 start_va = 0x4a30000 end_va = 0x4b2ffff entry_point = 0x4a30000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 1448 start_va = 0x4b30000 end_va = 0x4baffff entry_point = 0x0 region_type = private name = "private_0x0000000004b30000" filename = "" Region: id = 1449 start_va = 0x4bb0000 end_va = 0x4bb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bb0000" filename = "" Region: id = 1450 start_va = 0x4bc0000 end_va = 0x4c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000004bc0000" filename = "" Region: id = 1451 start_va = 0x4c40000 end_va = 0x4d3ffff entry_point = 0x4c40000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 1452 start_va = 0x4d40000 end_va = 0x4e3ffff entry_point = 0x4d40000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 1453 start_va = 0x4e40000 end_va = 0x6194fff entry_point = 0x4e40000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 1454 start_va = 0x61a0000 end_va = 0x621ffff entry_point = 0x0 region_type = private name = "private_0x00000000061a0000" filename = "" Region: id = 1455 start_va = 0x6260000 end_va = 0x62dffff entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 1456 start_va = 0x62e0000 end_va = 0x66e2fff entry_point = 0x0 region_type = private name = "private_0x00000000062e0000" filename = "" Region: id = 1457 start_va = 0x66f0000 end_va = 0x7a44fff entry_point = 0x66f0000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 1458 start_va = 0x7a50000 end_va = 0x7b4ffff entry_point = 0x7a50000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 1459 start_va = 0x7b50000 end_va = 0x7c4ffff entry_point = 0x7b50000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 1460 start_va = 0x7c50000 end_va = 0x7d4ffff entry_point = 0x7c50000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 1461 start_va = 0x7d50000 end_va = 0x7dd8fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007d50000" filename = "" Region: id = 1462 start_va = 0x7df0000 end_va = 0x7e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000007df0000" filename = "" Region: id = 1463 start_va = 0x7ee0000 end_va = 0x7f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000007ee0000" filename = "" Region: id = 1464 start_va = 0x7f90000 end_va = 0x800ffff entry_point = 0x0 region_type = private name = "private_0x0000000007f90000" filename = "" Region: id = 1465 start_va = 0x8060000 end_va = 0x80dffff entry_point = 0x0 region_type = private name = "private_0x0000000008060000" filename = "" Region: id = 1466 start_va = 0x80e0000 end_va = 0x80effff entry_point = 0x0 region_type = private name = "private_0x00000000080e0000" filename = "" Region: id = 1467 start_va = 0x8100000 end_va = 0x817ffff entry_point = 0x0 region_type = private name = "private_0x0000000008100000" filename = "" Region: id = 1468 start_va = 0x81a0000 end_va = 0x821ffff entry_point = 0x0 region_type = private name = "private_0x00000000081a0000" filename = "" Region: id = 1469 start_va = 0x82b0000 end_va = 0x832ffff entry_point = 0x0 region_type = private name = "private_0x00000000082b0000" filename = "" Region: id = 1470 start_va = 0x8390000 end_va = 0x840ffff entry_point = 0x0 region_type = private name = "private_0x0000000008390000" filename = "" Region: id = 1471 start_va = 0x8410000 end_va = 0x850ffff entry_point = 0x8410000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 1472 start_va = 0x8510000 end_va = 0x860ffff entry_point = 0x8510000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 1473 start_va = 0x8610000 end_va = 0x870ffff entry_point = 0x8610000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 1474 start_va = 0x8760000 end_va = 0x87dffff entry_point = 0x0 region_type = private name = "private_0x0000000008760000" filename = "" Region: id = 1475 start_va = 0x8840000 end_va = 0x88bffff entry_point = 0x0 region_type = private name = "private_0x0000000008840000" filename = "" Region: id = 1476 start_va = 0x8970000 end_va = 0x89effff entry_point = 0x0 region_type = private name = "private_0x0000000008970000" filename = "" Region: id = 1477 start_va = 0x8a30000 end_va = 0x8a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000008a30000" filename = "" Region: id = 1478 start_va = 0x8ab0000 end_va = 0x8b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000008ab0000" filename = "" Region: id = 1479 start_va = 0x8b30000 end_va = 0x8beffff entry_point = 0x8b30000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1480 start_va = 0x8bf0000 end_va = 0x8ceffff entry_point = 0x0 region_type = private name = "private_0x0000000008bf0000" filename = "" Region: id = 1481 start_va = 0x8d00000 end_va = 0x8d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000008d00000" filename = "" Region: id = 1482 start_va = 0x8e20000 end_va = 0x8e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000008e20000" filename = "" Region: id = 1483 start_va = 0x8ee0000 end_va = 0x8f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000008ee0000" filename = "" Region: id = 1484 start_va = 0x9060000 end_va = 0x90dffff entry_point = 0x0 region_type = private name = "private_0x0000000009060000" filename = "" Region: id = 1485 start_va = 0x9140000 end_va = 0x91bffff entry_point = 0x0 region_type = private name = "private_0x0000000009140000" filename = "" Region: id = 1486 start_va = 0x91c0000 end_va = 0x95bffff entry_point = 0x0 region_type = private name = "private_0x00000000091c0000" filename = "" Region: id = 1487 start_va = 0x739f0000 end_va = 0x739f5fff entry_point = 0x739f0000 region_type = mapped_file name = "ksuser.dll" filename = "\\Windows\\System32\\ksuser.dll" (normalized: "c:\\windows\\system32\\ksuser.dll") Region: id = 1488 start_va = 0x73ab0000 end_va = 0x73adefff entry_point = 0x73ab0000 region_type = mapped_file name = "atl90.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895\\ATL90.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895\\atl90.dll") Region: id = 1489 start_va = 0x73ae0000 end_va = 0x73bb2fff entry_point = 0x73ae0000 region_type = mapped_file name = "msvcp90.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcp90.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcp90.dll") Region: id = 1490 start_va = 0x73bc0000 end_va = 0x73c62fff entry_point = 0x73bc0000 region_type = mapped_file name = "msvcr90.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcr90.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcr90.dll") Region: id = 1491 start_va = 0x74e80000 end_va = 0x74f62fff entry_point = 0x74e80000 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 1492 start_va = 0x77090000 end_va = 0x771aefff entry_point = 0x77090000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1493 start_va = 0x771b0000 end_va = 0x772a9fff entry_point = 0x771b0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1494 start_va = 0x772b0000 end_va = 0x77458fff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1495 start_va = 0x77480000 end_va = 0x77486fff entry_point = 0x77480000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1496 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1497 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1498 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1499 start_va = 0xffc40000 end_va = 0xffefffff entry_point = 0xffc40000 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 1500 start_va = 0x7fef4110000 end_va = 0x7fef41d5fff entry_point = 0x7fef4110000 region_type = mapped_file name = "msftedit.dll" filename = "\\Windows\\System32\\msftedit.dll" (normalized: "c:\\windows\\system32\\msftedit.dll") Region: id = 1501 start_va = 0x7fef41e0000 end_va = 0x7fef4233fff entry_point = 0x7fef41e0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 1502 start_va = 0x7fef4240000 end_va = 0x7fef4df6fff entry_point = 0x7fef4240000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 1503 start_va = 0x7fef4e00000 end_va = 0x7fef4eb4fff entry_point = 0x7fef4e00000 region_type = mapped_file name = "bthprops.cpl" filename = "\\Windows\\System32\\bthprops.cpl" (normalized: "c:\\windows\\system32\\bthprops.cpl") Region: id = 1504 start_va = 0x7fef4ec0000 end_va = 0x7fef4f04fff entry_point = 0x7fef4ec0000 region_type = mapped_file name = "qagent.dll" filename = "\\Windows\\System32\\QAGENT.DLL" (normalized: "c:\\windows\\system32\\qagent.dll") Region: id = 1505 start_va = 0x7fef4f10000 end_va = 0x7fef4f1cfff entry_point = 0x7fef4f10000 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 1506 start_va = 0x7fef4f20000 end_va = 0x7fef4f7dfff entry_point = 0x7fef4f20000 region_type = mapped_file name = "wwanapi.dll" filename = "\\Windows\\System32\\WWanAPI.dll" (normalized: "c:\\windows\\system32\\wwanapi.dll") Region: id = 1507 start_va = 0x7fef4f80000 end_va = 0x7fef4f86fff entry_point = 0x7fef4f80000 region_type = mapped_file name = "wlanutil.dll" filename = "\\Windows\\System32\\wlanutil.dll" (normalized: "c:\\windows\\system32\\wlanutil.dll") Region: id = 1508 start_va = 0x7fef4f90000 end_va = 0x7fef4faffff entry_point = 0x7fef4f90000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1509 start_va = 0x7fef51c0000 end_va = 0x7fef51cbfff entry_point = 0x7fef51c0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1510 start_va = 0x7fef5640000 end_va = 0x7fef56b3fff entry_point = 0x7fef5640000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1511 start_va = 0x7fef5ac0000 end_va = 0x7fef5af0fff entry_point = 0x7fef5ac0000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 1512 start_va = 0x7fef5b00000 end_va = 0x7fef5b54fff entry_point = 0x7fef5b00000 region_type = mapped_file name = "hgcpl.dll" filename = "\\Windows\\System32\\hgcpl.dll" (normalized: "c:\\windows\\system32\\hgcpl.dll") Region: id = 1513 start_va = 0x7fef5cc0000 end_va = 0x7fef5d3efff entry_point = 0x7fef5cc0000 region_type = mapped_file name = "imapi2.dll" filename = "\\Windows\\System32\\imapi2.dll" (normalized: "c:\\windows\\system32\\imapi2.dll") Region: id = 1514 start_va = 0x7fef5d70000 end_va = 0x7fef5e0cfff entry_point = 0x7fef5d70000 region_type = mapped_file name = "fxsapi.dll" filename = "\\Windows\\System32\\FXSAPI.dll" (normalized: "c:\\windows\\system32\\fxsapi.dll") Region: id = 1515 start_va = 0x7fef5e10000 end_va = 0x7fef5ee6fff entry_point = 0x7fef5e10000 region_type = mapped_file name = "fxsst.dll" filename = "\\Windows\\System32\\FXSST.dll" (normalized: "c:\\windows\\system32\\fxsst.dll") Region: id = 1516 start_va = 0x7fef5ef0000 end_va = 0x7fef5fb1fff entry_point = 0x7fef5ef0000 region_type = mapped_file name = "actioncenter.dll" filename = "\\Windows\\System32\\ActionCenter.dll" (normalized: "c:\\windows\\system32\\actioncenter.dll") Region: id = 1517 start_va = 0x7fef5fc0000 end_va = 0x7fef5ffefff entry_point = 0x7fef5fc0000 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 1518 start_va = 0x7fef6000000 end_va = 0x7fef601efff entry_point = 0x7fef6000000 region_type = mapped_file name = "qutil.dll" filename = "\\Windows\\System32\\QUTIL.DLL" (normalized: "c:\\windows\\system32\\qutil.dll") Region: id = 1519 start_va = 0x7fef6020000 end_va = 0x7fef61dcfff entry_point = 0x7fef6020000 region_type = mapped_file name = "pnidui.dll" filename = "\\Windows\\System32\\pnidui.dll" (normalized: "c:\\windows\\system32\\pnidui.dll") Region: id = 1520 start_va = 0x7fef61e0000 end_va = 0x7fef629cfff entry_point = 0x7fef61e0000 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 1521 start_va = 0x7fef62a0000 end_va = 0x7fef62d8fff entry_point = 0x7fef62a0000 region_type = mapped_file name = "portabledevicetypes.dll" filename = "\\Windows\\System32\\PortableDeviceTypes.dll" (normalized: "c:\\windows\\system32\\portabledevicetypes.dll") Region: id = 1522 start_va = 0x7fef62e0000 end_va = 0x7fef62fffff entry_point = 0x7fef62e0000 region_type = mapped_file name = "wpdshserviceobj.dll" filename = "\\Windows\\System32\\WPDShServiceObj.dll" (normalized: "c:\\windows\\system32\\wpdshserviceobj.dll") Region: id = 1523 start_va = 0x7fef6300000 end_va = 0x7fef630ffff entry_point = 0x7fef6300000 region_type = mapped_file name = "alttab.dll" filename = "\\Windows\\System32\\AltTab.dll" (normalized: "c:\\windows\\system32\\alttab.dll") Region: id = 1524 start_va = 0x7fef6310000 end_va = 0x7fef659afff entry_point = 0x7fef6310000 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 1525 start_va = 0x7fef65e0000 end_va = 0x7fef65eafff entry_point = 0x7fef65e0000 region_type = mapped_file name = "ehsso.dll" filename = "\\Windows\\ehome\\ehSSO.dll" (normalized: "c:\\windows\\ehome\\ehsso.dll") Region: id = 1526 start_va = 0x7fef65f0000 end_va = 0x7fef6605fff entry_point = 0x7fef65f0000 region_type = mapped_file name = "syncreg.dll" filename = "\\Windows\\System32\\Syncreg.dll" (normalized: "c:\\windows\\system32\\syncreg.dll") Region: id = 1527 start_va = 0x7fef6610000 end_va = 0x7fef6683fff entry_point = 0x7fef6610000 region_type = mapped_file name = "dxp.dll" filename = "\\Windows\\System32\\DXP.dll" (normalized: "c:\\windows\\system32\\dxp.dll") Region: id = 1528 start_va = 0x7fef6790000 end_va = 0x7fef69bafff entry_point = 0x7fef6790000 region_type = mapped_file name = "synccenter.dll" filename = "\\Windows\\System32\\SyncCenter.dll" (normalized: "c:\\windows\\system32\\synccenter.dll") Region: id = 1529 start_va = 0x7fef69c0000 end_va = 0x7fef6a28fff entry_point = 0x7fef69c0000 region_type = mapped_file name = "prnfldr.dll" filename = "\\Windows\\System32\\prnfldr.dll" (normalized: "c:\\windows\\system32\\prnfldr.dll") Region: id = 1530 start_va = 0x7fef6ca0000 end_va = 0x7fef6d59fff entry_point = 0x7fef6ca0000 region_type = mapped_file name = "batmeter.dll" filename = "\\Windows\\System32\\batmeter.dll" (normalized: "c:\\windows\\system32\\batmeter.dll") Region: id = 1531 start_va = 0x7fef6d60000 end_va = 0x7fef6da2fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "stobject.dll" filename = "\\Windows\\System32\\stobject.dll" (normalized: "c:\\windows\\system32\\stobject.dll") Region: id = 1532 start_va = 0x7fef7040000 end_va = 0x7fef70b0fff entry_point = 0x7fef7040000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1533 start_va = 0x7fef7220000 end_va = 0x7fef7283fff entry_point = 0x7fef7220000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1534 start_va = 0x7fef7290000 end_va = 0x7fef7300fff entry_point = 0x7fef7290000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1535 start_va = 0x7fef75b0000 end_va = 0x7fef76eafff entry_point = 0x7fef75b0000 region_type = mapped_file name = "msoshext.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll") Region: id = 1536 start_va = 0x7fef7bf0000 end_va = 0x7fef7c07fff entry_point = 0x7fef7bf0000 region_type = mapped_file name = "msacm32.dll" filename = "\\Windows\\System32\\msacm32.dll" (normalized: "c:\\windows\\system32\\msacm32.dll") Region: id = 1537 start_va = 0x7fef7c10000 end_va = 0x7fef7c5efff entry_point = 0x7fef7c10000 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 1538 start_va = 0x7fef7c60000 end_va = 0x7fef7c9afff entry_point = 0x7fef7c60000 region_type = mapped_file name = "wdmaud.drv" filename = "\\Windows\\System32\\wdmaud.drv" (normalized: "c:\\windows\\system32\\wdmaud.drv") Region: id = 1539 start_va = 0x7fef7ca0000 end_va = 0x7fef7cdafff entry_point = 0x7fef7ca0000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 1540 start_va = 0x7fef7cf0000 end_va = 0x7fef7e8bfff entry_point = 0x7fef7cf0000 region_type = mapped_file name = "networkexplorer.dll" filename = "\\Windows\\System32\\networkexplorer.dll" (normalized: "c:\\windows\\system32\\networkexplorer.dll") Region: id = 1541 start_va = 0x7fef7e90000 end_va = 0x7fef7eaefff entry_point = 0x7fef7e90000 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 1542 start_va = 0x7fef7eb0000 end_va = 0x7fef7eb8fff entry_point = 0x7fef7eb0000 region_type = mapped_file name = "midimap.dll" filename = "\\Windows\\System32\\midimap.dll" (normalized: "c:\\windows\\system32\\midimap.dll") Region: id = 1543 start_va = 0x7fef7ec0000 end_va = 0x7fef7ec9fff entry_point = 0x7fef7ec0000 region_type = mapped_file name = "msacm32.drv" filename = "\\Windows\\System32\\msacm32.drv" (normalized: "c:\\windows\\system32\\msacm32.drv") Region: id = 1544 start_va = 0x7fef7ed0000 end_va = 0x7fef7f0cfff entry_point = 0x7fef7ed0000 region_type = mapped_file name = "msutb.dll" filename = "\\Windows\\System32\\msutb.dll" (normalized: "c:\\windows\\system32\\msutb.dll") Region: id = 1545 start_va = 0x7fef7f20000 end_va = 0x7fef7f9efff entry_point = 0x7fef7f20000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 1546 start_va = 0x7fef7fa0000 end_va = 0x7fef7fdafff entry_point = 0x7fef7fa0000 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\System32\\msls31.dll" (normalized: "c:\\windows\\system32\\msls31.dll") Region: id = 1547 start_va = 0x7fef80b0000 end_va = 0x7fef83c5fff entry_point = 0x7fef80b0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 1548 start_va = 0x7fef83d0000 end_va = 0x7fef83d8fff entry_point = 0x7fef83d0000 region_type = mapped_file name = "msiltcfg.dll" filename = "\\Windows\\System32\\msiltcfg.dll" (normalized: "c:\\windows\\system32\\msiltcfg.dll") Region: id = 1549 start_va = 0x7fef83e0000 end_va = 0x7fef845bfff entry_point = 0x7fef83e0000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1550 start_va = 0x7fef8460000 end_va = 0x7fef8702fff entry_point = 0x7fef8460000 region_type = mapped_file name = "gameux.dll" filename = "\\Windows\\System32\\gameux.dll" (normalized: "c:\\windows\\system32\\gameux.dll") Region: id = 1551 start_va = 0x7fef8860000 end_va = 0x7fef886bfff entry_point = 0x7fef8860000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 1552 start_va = 0x7fef8870000 end_va = 0x7fef88a3fff entry_point = 0x7fef8870000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 1553 start_va = 0x7fef88b0000 end_va = 0x7fef899dfff entry_point = 0x7fef88b0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1554 start_va = 0x7fef8bc0000 end_va = 0x7fef8bd7fff entry_point = 0x7fef8bc0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1555 start_va = 0x7fef8be0000 end_va = 0x7fef8bf0fff entry_point = 0x7fef8be0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1556 start_va = 0x7fef90a0000 end_va = 0x7fef9122fff entry_point = 0x7fef90a0000 region_type = mapped_file name = "timedate.cpl" filename = "\\Windows\\System32\\timedate.cpl" (normalized: "c:\\windows\\system32\\timedate.cpl") Region: id = 1557 start_va = 0x7fef9130000 end_va = 0x7fef9401fff entry_point = 0x7fef9130000 region_type = mapped_file name = "themeui.dll" filename = "\\Windows\\System32\\themeui.dll" (normalized: "c:\\windows\\system32\\themeui.dll") Region: id = 1558 start_va = 0x7fef9410000 end_va = 0x7fef9417fff entry_point = 0x7fef9410000 region_type = mapped_file name = "iconcodecservice.dll" filename = "\\Windows\\System32\\IconCodecService.dll" (normalized: "c:\\windows\\system32\\iconcodecservice.dll") Region: id = 1559 start_va = 0x7fef9420000 end_va = 0x7fef949ffff entry_point = 0x7fef9420000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 1560 start_va = 0x7fef94a0000 end_va = 0x7fef94aefff entry_point = 0x7fef94a0000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 1561 start_va = 0x7fef94b0000 end_va = 0x7fef94bbfff entry_point = 0x7fef94b0000 region_type = mapped_file name = "cscdll.dll" filename = "\\Windows\\System32\\cscdll.dll" (normalized: "c:\\windows\\system32\\cscdll.dll") Region: id = 1562 start_va = 0x7fef94c0000 end_va = 0x7fef953dfff entry_point = 0x7fef94c0000 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 1563 start_va = 0x7fef9540000 end_va = 0x7fef9da3fff entry_point = 0x7fef9540000 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\PROGRA~1\\MICROS~1\\Office14\\1033\\GrooveIntlResource.dll" (normalized: "c:\\progra~1\\micros~1\\office14\\1033\\grooveintlresource.dll") Region: id = 1564 start_va = 0x7fef9db0000 end_va = 0x7fefa1c9fff entry_point = 0x7fef9db0000 region_type = mapped_file name = "office.odf" filename = "\\PROGRA~1\\COMMON~1\\MICROS~1\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\progra~1\\common~1\\micros~1\\office14\\cultures\\office.odf") Region: id = 1565 start_va = 0x7fefa1d0000 end_va = 0x7fefa840fff entry_point = 0x7fefa1d0000 region_type = mapped_file name = "grooveex.dll" filename = "\\PROGRA~1\\MICROS~1\\Office14\\GROOVEEX.DLL" (normalized: "c:\\progra~1\\micros~1\\office14\\grooveex.dll") Region: id = 1566 start_va = 0x7fefa850000 end_va = 0x7fefa884fff entry_point = 0x7fefa850000 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 1567 start_va = 0x7fefa890000 end_va = 0x7fefa8e6fff entry_point = 0x7fefa890000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1568 start_va = 0x7fefa8f0000 end_va = 0x7fefaab9fff entry_point = 0x7fefa8f0000 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 1569 start_va = 0x7fefaba0000 end_va = 0x7fefabaafff entry_point = 0x7fefaba0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1570 start_va = 0x7fefabb0000 end_va = 0x7fefabd6fff entry_point = 0x7fefabb0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1571 start_va = 0x7fefae80000 end_va = 0x7fefae93fff entry_point = 0x7fefae80000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1572 start_va = 0x7fefaea0000 end_va = 0x7fefaeb4fff entry_point = 0x7fefaea0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1573 start_va = 0x7fefaec0000 end_va = 0x7fefaecbfff entry_point = 0x7fefaec0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1574 start_va = 0x7fefaf40000 end_va = 0x7fefaf97fff entry_point = 0x7fefaf40000 region_type = mapped_file name = "srchadmin.dll" filename = "\\Windows\\System32\\srchadmin.dll" (normalized: "c:\\windows\\system32\\srchadmin.dll") Region: id = 1575 start_va = 0x7fefb010000 end_va = 0x7fefb139fff entry_point = 0x7fefb010000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 1576 start_va = 0x7fefb140000 end_va = 0x7fefb174fff entry_point = 0x7fefb140000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1577 start_va = 0x7fefb180000 end_va = 0x7fefb197fff entry_point = 0x7fefb180000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1578 start_va = 0x7fefb1a0000 end_va = 0x7fefb1aafff entry_point = 0x7fefb1a0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1579 start_va = 0x7fefb1b0000 end_va = 0x7fefb1eafff entry_point = 0x7fefb1b0000 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 1580 start_va = 0x7fefb1f0000 end_va = 0x7fefb256fff entry_point = 0x7fefb1f0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1581 start_va = 0x7fefb260000 end_va = 0x7fefb270fff entry_point = 0x7fefb260000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1582 start_va = 0x7fefb280000 end_va = 0x7fefb28afff entry_point = 0x7fefb280000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1583 start_va = 0x7fefb2b0000 end_va = 0x7fefb2c8fff entry_point = 0x7fefb2b0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1584 start_va = 0x7fefb310000 end_va = 0x7fefb324fff entry_point = 0x7fefb310000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1585 start_va = 0x7fefb440000 end_va = 0x7fefb566fff entry_point = 0x7fefb440000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1586 start_va = 0x7fefb670000 end_va = 0x7fefb678fff entry_point = 0x7fefb670000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1587 start_va = 0x7fefb680000 end_va = 0x7fefb6cafff entry_point = 0x7fefb680000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1588 start_va = 0x7fefb6d0000 end_va = 0x7fefb6fbfff entry_point = 0x7fefb6d0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1589 start_va = 0x7fefb7b0000 end_va = 0x7fefb7dcfff entry_point = 0x7fefb7b0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1590 start_va = 0x7fefb7e0000 end_va = 0x7fefb822fff entry_point = 0x7fefb7e0000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 1591 start_va = 0x7fefb830000 end_va = 0x7fefb921fff entry_point = 0x7fefb830000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 1592 start_va = 0x7fefb930000 end_va = 0x7fefbb44fff entry_point = 0x7fefb930000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 1593 start_va = 0x7fefbb50000 end_va = 0x7fefbba5fff entry_point = 0x7fefbb50000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1594 start_va = 0x7fefbbb0000 end_va = 0x7fefbcdbfff entry_point = 0x7fefbbb0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1595 start_va = 0x7fefbce0000 end_va = 0x7fefbcfcfff entry_point = 0x7fefbce0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1596 start_va = 0x7fefbd00000 end_va = 0x7fefbd23fff entry_point = 0x7fefbd00000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 1597 start_va = 0x7fefbd30000 end_va = 0x7fefbf23fff entry_point = 0x7fefbd30000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 1598 start_va = 0x7fefbf30000 end_va = 0x7fefc038fff entry_point = 0x7fefbf30000 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 1599 start_va = 0x7fefc040000 end_va = 0x7fefc219fff entry_point = 0x7fefc040000 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 1600 start_va = 0x7fefc3c0000 end_va = 0x7fefc3cbfff entry_point = 0x7fefc3c0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1601 start_va = 0x7fefc5a0000 end_va = 0x7fefc5bdfff entry_point = 0x7fefc5a0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1602 start_va = 0x7fefc6f0000 end_va = 0x7fefc6f9fff entry_point = 0x7fefc6f0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1603 start_va = 0x7fefc7f0000 end_va = 0x7fefc836fff entry_point = 0x7fefc7f0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1604 start_va = 0x7fefcaf0000 end_va = 0x7fefcb06fff entry_point = 0x7fefcaf0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1605 start_va = 0x7fefcc00000 end_va = 0x7fefcc31fff entry_point = 0x7fefcc00000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1606 start_va = 0x7fefcd20000 end_va = 0x7fefcd8cfff entry_point = 0x7fefcd20000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1607 start_va = 0x7fefcff0000 end_va = 0x7fefd012fff entry_point = 0x7fefcff0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1608 start_va = 0x7fefd090000 end_va = 0x7fefd09afff entry_point = 0x7fefd090000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1609 start_va = 0x7fefd0c0000 end_va = 0x7fefd0e4fff entry_point = 0x7fefd0c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1610 start_va = 0x7fefd0f0000 end_va = 0x7fefd0fefff entry_point = 0x7fefd0f0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1611 start_va = 0x7fefd100000 end_va = 0x7fefd190fff entry_point = 0x7fefd100000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1612 start_va = 0x7fefd1a0000 end_va = 0x7fefd1dcfff entry_point = 0x7fefd1a0000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1613 start_va = 0x7fefd1e0000 end_va = 0x7fefd1f3fff entry_point = 0x7fefd1e0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1614 start_va = 0x7fefd200000 end_va = 0x7fefd20efff entry_point = 0x7fefd200000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1615 start_va = 0x7fefd2a0000 end_va = 0x7fefd2aefff entry_point = 0x7fefd2a0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1616 start_va = 0x7fefd2b0000 end_va = 0x7fefd2c9fff entry_point = 0x7fefd2b0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1617 start_va = 0x7fefd2d0000 end_va = 0x7fefd436fff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1618 start_va = 0x7fefd440000 end_va = 0x7fefd475fff entry_point = 0x7fefd440000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1619 start_va = 0x7fefd480000 end_va = 0x7fefd4b9fff entry_point = 0x7fefd480000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1620 start_va = 0x7fefd560000 end_va = 0x7fefd5cafff entry_point = 0x7fefd560000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1621 start_va = 0x7fefd5d0000 end_va = 0x7fefd6fcfff entry_point = 0x7fefd5d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1622 start_va = 0x7fefd700000 end_va = 0x7fefd766fff entry_point = 0x7fefd700000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1623 start_va = 0x7fefd770000 end_va = 0x7fefd77dfff entry_point = 0x7fefd770000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1624 start_va = 0x7fefd780000 end_va = 0x7fefd856fff entry_point = 0x7fefd780000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1625 start_va = 0x7fefd860000 end_va = 0x7fefd8d0fff entry_point = 0x7fefd860000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1626 start_va = 0x7fefd8e0000 end_va = 0x7fefdae2fff entry_point = 0x7fefd8e0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1627 start_va = 0x7fefdaf0000 end_va = 0x7fefdbb8fff entry_point = 0x7fefdaf0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1628 start_va = 0x7fefdbc0000 end_va = 0x7fefdc9afff entry_point = 0x7fefdbc0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1629 start_va = 0x7fefdca0000 end_va = 0x7fefdef8fff entry_point = 0x7fefdca0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1630 start_va = 0x7fefdf00000 end_va = 0x7fefdf9efff entry_point = 0x7fefdf00000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1631 start_va = 0x7fefdfa0000 end_va = 0x7fefe176fff entry_point = 0x7fefdfa0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1632 start_va = 0x7fefe180000 end_va = 0x7fefe218fff entry_point = 0x7fefe180000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1633 start_va = 0x7fefe220000 end_va = 0x7fefe23efff entry_point = 0x7fefe220000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1634 start_va = 0x7fefe240000 end_va = 0x7fefe3b7fff entry_point = 0x7fefe240000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 1635 start_va = 0x7fefe3c0000 end_va = 0x7fefe4c8fff entry_point = 0x7fefe3c0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1636 start_va = 0x7fefe4d0000 end_va = 0x7feff257fff entry_point = 0x7fefe4d0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1637 start_va = 0x7feff300000 end_va = 0x7feff32dfff entry_point = 0x7feff300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1638 start_va = 0x7feff330000 end_va = 0x7feff337fff entry_point = 0x7feff330000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1639 start_va = 0x7feff340000 end_va = 0x7feff469fff entry_point = 0x7feff340000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 1640 start_va = 0x7feff470000 end_va = 0x7feff4bcfff entry_point = 0x7feff470000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1641 start_va = 0x7feff4c0000 end_va = 0x7feff511fff entry_point = 0x7feff4c0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1642 start_va = 0x7feff5d0000 end_va = 0x7feff5d0fff entry_point = 0x7feff5d0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1643 start_va = 0x7fffff78000 end_va = 0x7fffff79fff entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 1644 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 1645 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 1646 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 1647 start_va = 0x7fffff80000 end_va = 0x7fffff81fff entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 1648 start_va = 0x7fffff82000 end_va = 0x7fffff83fff entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 1649 start_va = 0x7fffff84000 end_va = 0x7fffff85fff entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 1650 start_va = 0x7fffff86000 end_va = 0x7fffff87fff entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 1651 start_va = 0x7fffff88000 end_va = 0x7fffff89fff entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 1652 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 1653 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 1654 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 1655 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 1656 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 1657 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 1658 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 1659 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 1660 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 1661 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 1662 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 1663 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1664 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1665 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 1666 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1667 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1668 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1669 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1670 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1671 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1672 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 1673 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1674 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1675 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1676 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1804 start_va = 0x95c0000 end_va = 0x9aa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000095c0000" filename = "" Region: id = 1805 start_va = 0x8220000 end_va = 0x8294fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008220000" filename = "" Region: id = 1899 start_va = 0x31e0000 end_va = 0x31e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000031e0000" filename = "" Region: id = 1900 start_va = 0x4aa0000 end_va = 0x4b1ffff entry_point = 0x0 region_type = private name = "private_0x0000000004aa0000" filename = "" Region: id = 1901 start_va = 0x7fef75d0000 end_va = 0x7fef76eefff entry_point = 0x7fef75d0000 region_type = mapped_file name = "wscui.cpl" filename = "\\Windows\\System32\\wscui.cpl" (normalized: "c:\\windows\\system32\\wscui.cpl") Region: id = 1902 start_va = 0x7fef8090000 end_va = 0x7fef80a2fff entry_point = 0x7fef8090000 region_type = mapped_file name = "wscapi.dll" filename = "\\Windows\\System32\\wscapi.dll" (normalized: "c:\\windows\\system32\\wscapi.dll") Region: id = 1903 start_va = 0x7fef9140000 end_va = 0x7fef9167fff entry_point = 0x7fef9140000 region_type = mapped_file name = "wscinterop.dll" filename = "\\Windows\\System32\\wscinterop.dll" (normalized: "c:\\windows\\system32\\wscinterop.dll") Region: id = 1904 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1905 start_va = 0x7fef3fd0000 end_va = 0x7fef410bfff entry_point = 0x7fef3fd0000 region_type = mapped_file name = "werconcpl.dll" filename = "\\Windows\\System32\\werconcpl.dll" (normalized: "c:\\windows\\system32\\werconcpl.dll") Region: id = 1906 start_va = 0x7fef8020000 end_va = 0x7fef8038fff entry_point = 0x7fef8020000 region_type = mapped_file name = "wercplsupport.dll" filename = "\\Windows\\System32\\wercplsupport.dll" (normalized: "c:\\windows\\system32\\wercplsupport.dll") Region: id = 1907 start_va = 0x7fef8040000 end_va = 0x7fef808bfff entry_point = 0x7fef8040000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1908 start_va = 0x31f0000 end_va = 0x31f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000031f0000" filename = "" Region: id = 1909 start_va = 0x7fef9130000 end_va = 0x7fef913afff entry_point = 0x7fef9130000 region_type = mapped_file name = "hcproviders.dll" filename = "\\Windows\\System32\\hcproviders.dll" (normalized: "c:\\windows\\system32\\hcproviders.dll") Region: id = 2088 start_va = 0x3200000 end_va = 0x3204fff entry_point = 0x3200000 region_type = mapped_file name = "actioncenter.dll.mui" filename = "\\Windows\\System32\\en-US\\ActionCenter.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\actioncenter.dll.mui") Region: id = 2089 start_va = 0x7fef3750000 end_va = 0x7fef3770fff entry_point = 0x7fef3750000 region_type = mapped_file name = "uianimation.dll" filename = "\\Windows\\System32\\UIAnimation.dll" (normalized: "c:\\windows\\system32\\uianimation.dll") Thread: id = 57 os_tid = 0x5e0 Thread: id = 58 os_tid = 0x748 Thread: id = 59 os_tid = 0x72c Thread: id = 60 os_tid = 0x724 Thread: id = 61 os_tid = 0x720 Thread: id = 62 os_tid = 0x718 Thread: id = 63 os_tid = 0x710 Thread: id = 64 os_tid = 0x700 Thread: id = 65 os_tid = 0x6e0 Thread: id = 66 os_tid = 0x6bc Thread: id = 67 os_tid = 0x6b4 Thread: id = 68 os_tid = 0x5f8 Thread: id = 69 os_tid = 0x5d8 Thread: id = 70 os_tid = 0x5c0 Thread: id = 71 os_tid = 0x5b4 Thread: id = 72 os_tid = 0x5ac Thread: id = 73 os_tid = 0x5a8 Thread: id = 74 os_tid = 0x564 Thread: id = 75 os_tid = 0x560 Thread: id = 76 os_tid = 0x530 Thread: id = 77 os_tid = 0x52c Thread: id = 78 os_tid = 0x528 Thread: id = 79 os_tid = 0x524 Thread: id = 80 os_tid = 0x520 Thread: id = 81 os_tid = 0x514 Thread: id = 82 os_tid = 0x498 Thread: id = 83 os_tid = 0x494 Thread: id = 84 os_tid = 0x490 Thread: id = 85 os_tid = 0x3b8 Thread: id = 86 os_tid = 0x138 Thread: id = 87 os_tid = 0x174 Thread: id = 88 os_tid = 0xf0 Thread: id = 89 os_tid = 0x144 Thread: id = 90 os_tid = 0x158 Thread: id = 91 os_tid = 0x384 Thread: id = 92 os_tid = 0x358 [0149.957] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\rdpclip.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x800000c, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x20f3b8*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f390, hNewToken=0x0 | out: lpProcessInformation=0x20f390*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0), hNewToken=0x0) returned 0 [0149.958] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\autochk.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x800000c, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x20f3b8*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f390, hNewToken=0x0 | out: lpProcessInformation=0x20f390*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0), hNewToken=0x0) returned 0 [0151.049] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\cmstp.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x800000c, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x20f3b8*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20f390, hNewToken=0x0 | out: lpProcessInformation=0x20f390*(hProcess=0xb24, hThread=0xb2c, dwProcessId=0x634, dwThreadId=0x668), hNewToken=0x0) returned 1 [0166.366] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x20ee20 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0166.387] RtlIntegerToChar (in: Value=0x34c, Base=0x0, Length=0x20, String=0x20f3f0 | out: String="844") returned 0x0 [0166.387] RtlIntegerToChar (in: Value=0x6ae232c9, Base=0x0, Length=0x20, String=0x20f3f0 | out: String="1793209033") returned 0x0 [0166.387] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="S-1-5-21-3388679-8441793209033") returned 0xb30 [0166.387] GetLastError () returned 0x0 [0166.406] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x20eba0 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0166.413] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x20eea0 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0166.429] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x20f058*=0x771c6110, NumberOfBytesToProtect=0x20f050, NewAccessProtection=0x40, OldAccessProtection=0x20f1a0 | out: BaseAddress=0x20f058*=0x771c6000, NumberOfBytesToProtect=0x20f050, OldAccessProtection=0x20f1a0*=0x20) returned 0x0 [0166.432] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x20f058*=0x771c6110, NumberOfBytesToProtect=0x20f050, NewAccessProtection=0x20, OldAccessProtection=0x20f1a0 | out: BaseAddress=0x20f058*=0x771c6000, NumberOfBytesToProtect=0x20f050, OldAccessProtection=0x20f1a0*=0x40) returned 0x0 [0166.434] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x20f058*=0x771c9e74, NumberOfBytesToProtect=0x20f050, NewAccessProtection=0x40, OldAccessProtection=0x20f1a0 | out: BaseAddress=0x20f058*=0x771c9000, NumberOfBytesToProtect=0x20f050, OldAccessProtection=0x20f1a0*=0x20) returned 0x0 [0166.437] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x20f058*=0x771c9e74, NumberOfBytesToProtect=0x20f050, NewAccessProtection=0x20, OldAccessProtection=0x20f1a0 | out: BaseAddress=0x20f058*=0x771c9000, NumberOfBytesToProtect=0x20f050, OldAccessProtection=0x20f1a0*=0x40) returned 0x0 [0166.440] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x20f058*=0x771c3a18, NumberOfBytesToProtect=0x20f050, NewAccessProtection=0x40, OldAccessProtection=0x20f1a0 | out: BaseAddress=0x20f058*=0x771c3000, NumberOfBytesToProtect=0x20f050, OldAccessProtection=0x20f1a0*=0x20) returned 0x0 [0166.443] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x20f058*=0x771c3a18, NumberOfBytesToProtect=0x20f050, NewAccessProtection=0x20, OldAccessProtection=0x20f1a0 | out: BaseAddress=0x20f058*=0x771c3000, NumberOfBytesToProtect=0x20f050, OldAccessProtection=0x20f1a0*=0x40) returned 0x0 [0166.445] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x20f058*=0x771c8fd0, NumberOfBytesToProtect=0x20f050, NewAccessProtection=0x40, OldAccessProtection=0x20f1a0 | out: BaseAddress=0x20f058*=0x771c8000, NumberOfBytesToProtect=0x20f050, OldAccessProtection=0x20f1a0*=0x20) returned 0x0 [0166.448] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x20f058*=0x771c8fd0, NumberOfBytesToProtect=0x20f050, NewAccessProtection=0x20, OldAccessProtection=0x20f1a0 | out: BaseAddress=0x20f058*=0x771c8000, NumberOfBytesToProtect=0x20f050, OldAccessProtection=0x20f1a0*=0x40) returned 0x0 [0166.451] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x20f220 | out: lpWSAData=0x20f220) returned 0 Thread: id = 101 os_tid = 0x768 Thread: id = 123 os_tid = 0x710 Thread: id = 124 os_tid = 0x780 Process: id = "12" image_name = "autochk.exe" filename = "c:\\windows\\syswow64\\autochk.exe" page_root = "0x74754000" os_pid = "0x624" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x34c" cmd_line = "\"C:\\Windows\\SysWOW64\\autochk.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e25d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1692 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1693 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1694 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1695 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1696 start_va = 0x1a0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1697 start_va = 0xba0000 end_va = 0xc45fff entry_point = 0xba0000 region_type = mapped_file name = "autochk.exe" filename = "\\Windows\\SysWOW64\\autochk.exe" (normalized: "c:\\windows\\syswow64\\autochk.exe") Region: id = 1698 start_va = 0x772b0000 end_va = 0x77458fff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1699 start_va = 0x77490000 end_va = 0x7760ffff entry_point = 0x77490000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1700 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1701 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1702 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1703 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1704 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1705 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1706 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Thread: id = 93 os_tid = 0x628 Process: id = "13" image_name = "cmstp.exe" filename = "c:\\windows\\syswow64\\cmstp.exe" page_root = "0x7455a000" os_pid = "0x634" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x34c" cmd_line = "\"C:\\Windows\\SysWOW64\\cmstp.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e25d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1707 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1708 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1709 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1710 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1711 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1712 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1713 start_va = 0x180000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1714 start_va = 0x630000 end_va = 0x647fff entry_point = 0x630000 region_type = mapped_file name = "cmstp.exe" filename = "\\Windows\\SysWOW64\\cmstp.exe" (normalized: "c:\\windows\\syswow64\\cmstp.exe") Region: id = 1715 start_va = 0x772b0000 end_va = 0x77458fff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1716 start_va = 0x77490000 end_va = 0x7760ffff entry_point = 0x77490000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1717 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1718 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1719 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1720 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1721 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1722 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1723 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1725 start_va = 0x70000 end_va = 0x93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1727 start_va = 0x630000 end_va = 0x647fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 1728 start_va = 0x2e0000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1729 start_va = 0x73a00000 end_va = 0x73a07fff entry_point = 0x73a020f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1730 start_va = 0x73a10000 end_va = 0x73a6bfff entry_point = 0x73a4f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1731 start_va = 0x73a70000 end_va = 0x73aaefff entry_point = 0x73a9de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1732 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1733 start_va = 0x1c0000 end_va = 0x226fff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1734 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1735 start_va = 0x7e0000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 1736 start_va = 0x74fb0000 end_va = 0x74fb8fff entry_point = 0x74fb0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1737 start_va = 0x74fc0000 end_va = 0x74fcdfff entry_point = 0x74fc0000 region_type = mapped_file name = "cmutil.dll" filename = "\\Windows\\SysWOW64\\cmutil.dll" (normalized: "c:\\windows\\syswow64\\cmutil.dll") Region: id = 1738 start_va = 0x74fe0000 end_va = 0x74febfff entry_point = 0x74fe10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1739 start_va = 0x74ff0000 end_va = 0x7504ffff entry_point = 0x7500a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1740 start_va = 0x75080000 end_va = 0x75cc9fff entry_point = 0x75101601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1741 start_va = 0x75cd0000 end_va = 0x75d26fff entry_point = 0x75ce9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1742 start_va = 0x76260000 end_va = 0x762fffff entry_point = 0x762749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1743 start_va = 0x76300000 end_va = 0x7638ffff entry_point = 0x76316343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1744 start_va = 0x76720000 end_va = 0x7682ffff entry_point = 0x767332d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1745 start_va = 0x768f0000 end_va = 0x769dffff entry_point = 0x76900569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1746 start_va = 0x76b00000 end_va = 0x76c5bfff entry_point = 0x76b4ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1747 start_va = 0x76ca0000 end_va = 0x76d4bfff entry_point = 0x76caa472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1748 start_va = 0x76d50000 end_va = 0x76d59fff entry_point = 0x76d536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1749 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76da3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1750 start_va = 0x76e10000 end_va = 0x76e55fff entry_point = 0x76e17478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1751 start_va = 0x76e70000 end_va = 0x76e88fff entry_point = 0x76e74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1752 start_va = 0x76f90000 end_va = 0x7708ffff entry_point = 0x76fab6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1753 start_va = 0x77090000 end_va = 0x771aefff entry_point = 0x0 region_type = private name = "private_0x0000000077090000" filename = "" Region: id = 1754 start_va = 0x771b0000 end_va = 0x772a9fff entry_point = 0x0 region_type = private name = "private_0x00000000771b0000" filename = "" Region: id = 1755 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1756 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1757 start_va = 0x650000 end_va = 0x7d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 1758 start_va = 0x76160000 end_va = 0x7622bfff entry_point = 0x7616168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1759 start_va = 0x764d0000 end_va = 0x7652ffff entry_point = 0x764e158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1760 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1761 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1762 start_va = 0xa0000 end_va = 0xa4fff entry_point = 0xa0000 region_type = mapped_file name = "cmstp.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmstp.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmstp.exe.mui") Region: id = 1763 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1764 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1765 start_va = 0x7f0000 end_va = 0x970fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1766 start_va = 0x980000 end_va = 0x1d7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 1767 start_va = 0x1ec0000 end_va = 0x2040fff entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 1768 start_va = 0x2050000 end_va = 0x2352fff entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 1769 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1770 start_va = 0x130000 end_va = 0x153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1771 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 1772 start_va = 0x440000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1773 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1774 start_va = 0x230000 end_va = 0x253fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1775 start_va = 0x260000 end_va = 0x2c4fff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1776 start_va = 0x3c0000 end_va = 0x424fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 1777 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1778 start_va = 0x2360000 end_va = 0x2841fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002360000" filename = "" Region: id = 1779 start_va = 0x1d80000 end_va = 0x1e7afff entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 1780 start_va = 0x74c90000 end_va = 0x74e44fff entry_point = 0x74c90000 region_type = mapped_file name = "nss3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\nss3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nss3.dll") Region: id = 1781 start_va = 0x74f70000 end_va = 0x74fa1fff entry_point = 0x74f70000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 1782 start_va = 0x74e60000 end_va = 0x74e66fff entry_point = 0x74e60000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 1783 start_va = 0x76c60000 end_va = 0x76c94fff entry_point = 0x76c60000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1784 start_va = 0x768c0000 end_va = 0x768c5fff entry_point = 0x768c0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1785 start_va = 0x74bd0000 end_va = 0x74c8efff entry_point = 0x74bd0000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Windows\\SysWOW64\\msvcr100.dll" (normalized: "c:\\windows\\syswow64\\msvcr100.dll") Region: id = 1786 start_va = 0x74fa0000 end_va = 0x74fabfff entry_point = 0x74fa0000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\SysWOW64\\vaultcli.dll" (normalized: "c:\\windows\\syswow64\\vaultcli.dll") Region: id = 1787 start_va = 0x74cc0000 end_va = 0x74e4ffff entry_point = 0x74cc0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 1788 start_va = 0x737e0000 end_va = 0x7385ffff entry_point = 0x737f37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1789 start_va = 0x1e80000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 1790 start_va = 0x1f50000 end_va = 0x202efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 1791 start_va = 0x2850000 end_va = 0x296ffff entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 1792 start_va = 0x2970000 end_va = 0x2c3efff entry_point = 0x2970000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1793 start_va = 0x5a0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1794 start_va = 0x2cc0000 end_va = 0x2cfffff entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 1795 start_va = 0x2d00000 end_va = 0x31f1fff entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 1796 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1797 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1798 start_va = 0x74bc0000 end_va = 0x74cbafff entry_point = 0x74bc0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll") Region: id = 1799 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1800 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1801 start_va = 0x760d0000 end_va = 0x7615efff entry_point = 0x760d3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1802 start_va = 0x2850000 end_va = 0x294ffff entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 1803 start_va = 0x2960000 end_va = 0x296ffff entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 1806 start_va = 0x580000 end_va = 0x5f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1825 start_va = 0x580000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1827 start_va = 0x580000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1829 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1874 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1875 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1876 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1877 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1878 start_va = 0x5c0000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1879 start_va = 0x1eb0000 end_va = 0x1eeffff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 1880 start_va = 0x1f10000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 1881 start_va = 0x2880000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 1882 start_va = 0x2c60000 end_va = 0x2c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 1883 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1884 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1885 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1886 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1887 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1888 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1889 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1890 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1891 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1892 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1893 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1894 start_va = 0x2930000 end_va = 0x296ffff entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 1895 start_va = 0x2cd0000 end_va = 0x2d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 1896 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1897 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1898 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1910 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1911 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1912 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2078 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2079 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2080 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2081 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2082 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2083 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2084 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2085 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2086 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2087 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2090 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2091 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2092 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Thread: id = 94 os_tid = 0x668 [0153.295] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x1bf1fc | out: HeapArray=0x1bf1fc*=0x480000) returned 0x2 [0153.300] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x1bf1b0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.302] NtCreateFile (in: FileHandle=0x1bf1dc, DesiredAccess=0x120089, ObjectAttributes=0x1bf198*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1bf1b8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bf1dc*=0x98, IoStatusBlock=0x1bf1b8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.311] NtQueryInformationFile (in: FileHandle=0x98, IoStatusBlock=0x1bf1b8, FileInformation=0x1bf110, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1bf1b8, FileInformation=0x1bf110) returned 0x0 [0153.355] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x1bf150, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.355] NtCreateFile (in: FileHandle=0x1bf17c, DesiredAccess=0x120089, ObjectAttributes=0x1bf138*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1bf158, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bf17c*=0x98, IoStatusBlock=0x1bf158*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.355] NtQueryInformationFile (in: FileHandle=0x98, IoStatusBlock=0x1bf158, FileInformation=0x1beecc, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x1bf158, FileInformation=0x1beecc) returned 0x0 [0153.355] NtClose (Handle=0x98) returned 0x0 [0153.358] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x73a01320, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x1bf188, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x1bf188*(BaseAddress=0x73a01000, AllocationBase=0x73a00000, AllocationProtect=0x80, RegionSize=0x3000, State=0x1000, Protect=0x20, Type=0x1000000), ResultLength=0x0) returned 0x0 [0153.570] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x1bf1e0, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x1bf1e0, ResultLength=0x0) returned 0x0 [0153.573] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x1bf204, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x1bf204, ReturnLength=0x0) returned 0x0 [0153.585] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1bee94*=0x0, ZeroBits=0x0, RegionSize=0x1bee98*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1bee94*=0xd0000, RegionSize=0x1bee98*=0x10000) returned 0x0 [0153.588] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0153.596] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf1f4*=0xd0000, RegionSize=0x1bf1f8, FreeType=0x8000) returned 0x0 [0153.608] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x1befb0 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0153.613] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x1bf20c | out: TokenHandle=0x1bf20c*=0x98) returned 0x0 [0153.615] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1bf200 | out: lpLuid=0x1bf200*(LowPart=0x14, HighPart=0)) returned 1 [0153.620] NtAdjustPrivilegesToken (in: TokenHandle=0x98, DisableAllPrivileges=0, NewState=0x1bf1fc, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x106 [0153.621] NtClose (Handle=0x98) returned 0x0 [0153.621] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x1bed54 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0153.621] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="L53886-W", Value=0x1befec | out: Value=0x1befec) returned 0xc0000100 [0153.621] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x1beb34 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0153.624] NtOpenDirectoryObject (in: FileHandle=0x1bede0, DesiredAccess=0x2000f, ObjectAttributes=0x1bedac*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0x1bede0*=0x98) returned 0x0 [0153.626] NtCreateMutant (in: MutantHandle=0x1bf00c, DesiredAccess=0x1f0001, ObjectAttributes=0x1bed94*(Length=0x18, RootDirectory=0x98, ObjectName="L53886-WGVVJKAFC", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0x1bf00c*=0xdc) returned 0x0 [0153.626] NtClose (Handle=0x98) returned 0x0 [0153.626] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x1beb30 | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0153.626] NtOpenDirectoryObject (in: FileHandle=0x1bedd8, DesiredAccess=0x2000f, ObjectAttributes=0x1beda4*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0x1bedd8*=0x98) returned 0x0 [0153.626] NtCreateMutant (in: MutantHandle=0x1bf004, DesiredAccess=0x1f0001, ObjectAttributes=0x1bed8c*(Length=0x18, RootDirectory=0x98, ObjectName="8Q-59UAVA1ZvGWMZ", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0x1bf004*=0xe0) returned 0x0 [0153.626] NtClose (Handle=0x98) returned 0x0 [0153.631] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERPROFILE", Value=0x1bed44 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x0 [0153.636] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\igfxonux.scr", NtPathName=0x1bed10, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.638] NtCreateFile (in: FileHandle=0x1bed3c, DesiredAccess=0x120089, ObjectAttributes=0x1becf8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1bed18, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bed3c*=0x0, IoStatusBlock=0x1bed18*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0153.638] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x1bed44 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0153.638] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtPathName=0x1bed10, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.638] NtCreateFile (in: FileHandle=0x1bed3c, DesiredAccess=0x120089, ObjectAttributes=0x1becf8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1bed18, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bed3c*=0x98, IoStatusBlock=0x1bed18*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.641] NtQueryInformationFile (in: FileHandle=0x98, IoStatusBlock=0x1bed18, FileInformation=0x1bec70, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1bed18, FileInformation=0x1bec70) returned 0x0 [0153.641] NtClose (Handle=0x98) returned 0x0 [0153.641] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtPathName=0x1bed34, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.641] NtCreateFile (in: FileHandle=0x1bed60, DesiredAccess=0x120089, ObjectAttributes=0x1bed1c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1bed3c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bed60*=0x98, IoStatusBlock=0x1bed3c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.641] NtQueryInformationFile (in: FileHandle=0x98, IoStatusBlock=0x1bed3c, FileInformation=0x1bec6c, Length=0x28, FileInformationClass=0x4 | out: IoStatusBlock=0x1bed3c, FileInformation=0x1bec6c) returned 0x0 [0153.641] NtClose (Handle=0x98) returned 0x0 [0153.641] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtPathName=0x1befe8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.641] NtCreateFile (in: FileHandle=0x1bf014, DesiredAccess=0x120189, ObjectAttributes=0x1befd0*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1beff0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bf014*=0x98, IoStatusBlock=0x1beff0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.641] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1bebe4 | out: TokenHandle=0x1bebe4*=0xe4) returned 0x0 [0153.644] NtQueryInformationToken (in: TokenHandle=0xe4, TokenInformationClass=0x1, TokenInformation=0x1be3dc, TokenInformationLength=0x400, ReturnLength=0x1bebdc | out: TokenInformation=0x1be3dc, ReturnLength=0x1bebdc) returned 0x0 [0153.645] ConvertSidToStringSidW () returned 0x1 [0153.645] NtClose (Handle=0xe4) returned 0x0 [0153.647] NtCreateKey (in: KeyHandle=0x1bf01c, DesiredAccess=0x20219, ObjectAttributes=0x1be570*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1bf01c*=0xe4) returned 0x0 [0153.649] NtEnumerateValueKey (in: KeyHandle=0xe4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be7c4, Length=0x200, ResultLength=0x1bebc4 | out: KeyValueInformation=0x1be7c4, ResultLength=0x1bebc4) returned 0x0 [0153.649] NtClose (Handle=0xe4) returned 0x0 [0153.658] SetErrorMode (uMode=0x8003) returned 0x1 [0153.660] NtCreateSection (in: SectionHandle=0x1bec34, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x1be9b0, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1bec34*=0xe4) returned 0x0 [0153.662] NtMapViewOfSection (in: SectionHandle=0xe4, ProcessHandle=0xffffffff, BaseAddress=0x1bec38*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1be9b0*=0x23a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1bec38*=0x130000, SectionOffset=0x0, ViewSize=0x1be9b0*=0x24000) returned 0x0 [0153.663] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9a8*=0x0, ZeroBits=0x0, RegionSize=0x1be9ac*=0x23a00, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x1be9a8*=0x230000, RegionSize=0x1be9ac*=0x24000) returned 0x0 [0153.665] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1bdbe4 | out: TokenHandle=0x1bdbe4*=0xe8) returned 0x0 [0153.665] NtQueryInformationToken (in: TokenHandle=0xe8, TokenInformationClass=0x1, TokenInformation=0x1bd3dc, TokenInformationLength=0x400, ReturnLength=0x1bdbdc | out: TokenInformation=0x1bd3dc, ReturnLength=0x1bdbdc) returned 0x0 [0153.665] ConvertSidToStringSidW () returned 0x1 [0153.665] NtClose (Handle=0xe8) returned 0x0 [0153.665] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1bde54*=0x0, ZeroBits=0x0, RegionSize=0x1bde58*=0x64afa, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x1bde54*=0x260000, RegionSize=0x1bde58*=0x65000) returned 0x0 [0153.665] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1bde40*=0x0, ZeroBits=0x0, RegionSize=0x1bde44*=0x64afa, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x1bde40*=0x3c0000, RegionSize=0x1bde44*=0x65000) returned 0x0 [0153.667] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="windir", Value=0x1be710 | out: Value="C:\\Windows") returned 0x0 [0153.667] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\System32\\drivers\\etc\\hosts", NtPathName=0x1be6dc, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.667] NtCreateFile (in: FileHandle=0x1be708, DesiredAccess=0x120089, ObjectAttributes=0x1be6c4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts" (normalized: "c:\\windows\\system32\\drivers\\etc\\hosts"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be6e4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be708*=0xe8, IoStatusBlock=0x1be6e4*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.667] NtQueryInformationFile (in: FileHandle=0xe8, IoStatusBlock=0x1be6e4, FileInformation=0x1be63c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1be6e4, FileInformation=0x1be63c) returned 0x0 [0153.667] NtClose (Handle=0xe8) returned 0x0 [0153.667] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\System32\\drivers\\etc\\hosts", NtPathName=0x1be6cc, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.667] NtCreateFile (in: FileHandle=0x1be6f8, DesiredAccess=0x120089, ObjectAttributes=0x1be6b4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts" (normalized: "c:\\windows\\system32\\drivers\\etc\\hosts"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be6d4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be6f8*=0xe8, IoStatusBlock=0x1be6d4*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.668] NtQueryInformationFile (in: FileHandle=0xe8, IoStatusBlock=0x1be6d4, FileInformation=0x1be62c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1be6d4, FileInformation=0x1be62c) returned 0x0 [0153.671] NtReadFile (in: FileHandle=0xe8, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x1be6d4, Buffer=0x49d588, BufferLength=0x338, ByteOffset=0x1be644*=0, Key=0x0 | out: IoStatusBlock=0x1be6d4, Buffer=0x49d588*) returned 0x0 [0153.671] NtClose (Handle=0xe8) returned 0x0 [0153.671] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0153.671] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0153.683] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x1be18c | out: Value="5p5NrGJn0jS HALPmcxz") returned 0x0 [0153.684] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x1be3dc | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0153.684] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV", NtPathName=0x1be3f4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.684] NtCreateFile (in: FileHandle=0x1be420, DesiredAccess=0x100181, ObjectAttributes=0x1be3dc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be3fc, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x21, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be420*=0xe8, IoStatusBlock=0x1be3fc*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.684] NtClose (Handle=0xe8) returned 0x0 [0153.684] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x1be3bc | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0153.685] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-log.ini", NtPathName=0x1be41c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-log.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.685] NtCreateFile (in: FileHandle=0x1be448, DesiredAccess=0x12019f, ObjectAttributes=0x1be404*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-log.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-log.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be424, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be448*=0xe8, IoStatusBlock=0x1be424*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.694] NtClose (Handle=0xe8) returned 0x0 [0153.694] NtCreateSection (in: SectionHandle=0x1bfa1c, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x1be41c, SectionPageProtection=0x4, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1bfa1c*=0xe8) returned 0x0 [0153.694] NtMapViewOfSection (in: SectionHandle=0xe8, ProcessHandle=0xffffffff, BaseAddress=0x1bfa18*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1be41c*=0x4e2000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x1bfa18*=0x2360000, SectionOffset=0x0, ViewSize=0x1be41c*=0x4e2000) returned 0x0 [0153.694] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1bdc40 | out: TokenHandle=0x1bdc40*=0xec) returned 0x0 [0153.694] NtQueryInformationToken (in: TokenHandle=0xec, TokenInformationClass=0x1, TokenInformation=0x1bd438, TokenInformationLength=0x400, ReturnLength=0x1bdc38 | out: TokenInformation=0x1bd438, ReturnLength=0x1bdc38) returned 0x0 [0153.695] ConvertSidToStringSidW () returned 0x1 [0153.695] NtClose (Handle=0xec) returned 0x0 [0153.701] RtlIntegerToChar (in: Value=0xe51f6973, Base=0x10, Length=0x20, String=0x2362055 | out: String="E51F6973") returned 0x0 [0153.701] NtCreateKey (in: KeyHandle=0x1be674, DesiredAccess=0x20219, ObjectAttributes=0x1bdc40*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be674*=0xec) returned 0x0 [0153.707] NtQueryValueKey (in: KeyHandle=0xec, ValueName="ProductName", KeyValueInformationClass=0x1, KeyValueInformation=0x1be28c, Length=0x100, ResultLength=0x1be644 | out: KeyValueInformation=0x1be28c*(TitleIndex=0x0, Type=0x1, DataOffset=0x30, DataLength=0x2e, NameLength=0x16, Name="ProductName", Data="Windows 7 Professional"), ResultLength=0x1be644) returned 0x0 [0153.707] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1bdc70*=0x0, ZeroBits=0x0, RegionSize=0x1bdc74*=0xfa200, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x1bdc70*=0x1d80000, RegionSize=0x1bdc74*=0xfb000) returned 0x0 [0153.708] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtPathName=0x1bdc48, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.708] NtCreateFile (in: FileHandle=0x1bdc74, DesiredAccess=0x120089, ObjectAttributes=0x1bdc30*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1bdc50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bdc74*=0xf0, IoStatusBlock=0x1bdc50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.708] NtQueryInformationFile (in: FileHandle=0xf0, IoStatusBlock=0x1bdc50, FileInformation=0x1bdba8, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1bdc50, FileInformation=0x1bdba8) returned 0x0 [0153.708] NtClose (Handle=0xf0) returned 0x0 [0153.708] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtPathName=0x1bdc38, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.708] NtCreateFile (in: FileHandle=0x1bdc64, DesiredAccess=0x120089, ObjectAttributes=0x1bdc20*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\igfxonux.scr" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\igfxonux.scr"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1bdc40, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bdc64*=0xf0, IoStatusBlock=0x1bdc40*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.708] NtQueryInformationFile (in: FileHandle=0xf0, IoStatusBlock=0x1bdc40, FileInformation=0x1bdb98, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1bdc40, FileInformation=0x1bdb98) returned 0x0 [0153.708] NtReadFile (in: FileHandle=0xf0, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x1bdc40, Buffer=0x2461270, BufferLength=0x47000, ByteOffset=0x1bdbb0*=0, Key=0x0 | out: IoStatusBlock=0x1bdc40, Buffer=0x2461270*) returned 0x0 [0153.711] NtClose (Handle=0xf0) returned 0x0 [0153.711] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1be014 | out: TokenHandle=0x1be014*=0xf0) returned 0x0 [0153.711] NtQueryInformationToken (in: TokenHandle=0xf0, TokenInformationClass=0x1, TokenInformation=0x1bd80c, TokenInformationLength=0x400, ReturnLength=0x1be00c | out: TokenInformation=0x1bd80c, ReturnLength=0x1be00c) returned 0x0 [0153.711] ConvertSidToStringSidW () returned 0x1 [0153.711] NtClose (Handle=0xf0) returned 0x0 [0153.711] NtCreateKey (in: KeyHandle=0x1be668, DesiredAccess=0x20219, ObjectAttributes=0x1be010*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be668*=0xf0) returned 0x0 [0153.711] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtPathName=0x1bdf04, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.712] NtCreateFile (in: FileHandle=0x1bdf30, DesiredAccess=0x120089, ObjectAttributes=0x1bdeec*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrc.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrc.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1bdf0c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bdf30*=0xf4, IoStatusBlock=0x1bdf0c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.712] NtQueryInformationFile (in: FileHandle=0xf4, IoStatusBlock=0x1bdf0c, FileInformation=0x1bde64, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1bdf0c, FileInformation=0x1bde64) returned 0x0 [0153.712] NtClose (Handle=0xf4) returned 0x0 [0153.712] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1bd750 | out: TokenHandle=0x1bd750*=0xf4) returned 0x0 [0153.712] NtQueryInformationToken (in: TokenHandle=0xf4, TokenInformationClass=0x1, TokenInformation=0x1bcf48, TokenInformationLength=0x400, ReturnLength=0x1bd748 | out: TokenInformation=0x1bcf48, ReturnLength=0x1bd748) returned 0x0 [0153.712] ConvertSidToStringSidW () returned 0x1 [0153.712] NtClose (Handle=0xf4) returned 0x0 [0153.712] NtCreateKey (in: KeyHandle=0x1be664, DesiredAccess=0x20219, ObjectAttributes=0x1bd74c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be664*=0xf4) returned 0x0 [0153.712] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logri.ini", NtPathName=0x1bd64c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logri.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.712] NtCreateFile (in: FileHandle=0x1bd678, DesiredAccess=0x120089, ObjectAttributes=0x1bd634*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logri.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logri.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1bd654, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1bd678*=0xf8, IoStatusBlock=0x1bd654*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.713] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x1bd654, FileInformation=0x1bd5ac, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1bd654, FileInformation=0x1bd5ac) returned 0x0 [0153.713] NtClose (Handle=0xf8) returned 0x0 [0153.713] NtClose (Handle=0xf4) returned 0x0 [0153.713] NtCreateKey (in: KeyHandle=0x1be5c4, DesiredAccess=0x20219, ObjectAttributes=0x1be43c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Firefox\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be5c4*=0xf4) returned 0x0 [0153.713] NtQueryValueKey (in: KeyHandle=0xf4, ValueName="CurrentVersion", KeyValueInformationClass=0x1, KeyValueInformation=0x4a2a00, Length=0x100, ResultLength=0x1be5ac | out: KeyValueInformation=0x4a2a00*(TitleIndex=0x0, Type=0x1, DataOffset=0x30, DataLength=0x1a, NameLength=0x1c, Name="CurrentVersion", Data="25.0 (en-US)"), ResultLength=0x1be5ac) returned 0x0 [0153.713] NtClose (Handle=0xf4) returned 0x0 [0153.717] RtlCharToInteger (in: String="25.0 (en-US)", Base=0x0, Value=0x4a259c | out: Value=0x4a259c) returned 0x0 [0153.717] NtCreateKey (in: KeyHandle=0x1be5c4, DesiredAccess=0x20219, ObjectAttributes=0x1be45c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be5c4*=0xf4) returned 0x0 [0153.717] NtQueryValueKey (in: KeyHandle=0xf4, ValueName="Install Directory", KeyValueInformationClass=0x1, KeyValueInformation=0x4a2600, Length=0x200, ResultLength=0x1be5ac | out: KeyValueInformation=0x4a2600*(TitleIndex=0x0, Type=0x1, DataOffset=0x38, DataLength=0x4e, NameLength=0x22, Name="Install Directory", Data="C:\\Program Files (x86)\\Mozilla Firefox"), ResultLength=0x1be5ac) returned 0x0 [0153.718] NtClose (Handle=0xf4) returned 0x0 [0153.718] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="PATH", Value=0x1be208 | out: Value="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x0 [0153.726] RtlSetEnvironmentVariable (in: Environment=0x0, Name="PATH", Value="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files (x86)\\Mozilla Firefox" | out: Environment=0x0) returned 0x0 [0153.726] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll", BaseAddress=0x1be200 | out: BaseAddress=0x1be200*=0x0) returned 0xc0000135 [0153.901] RtlSetEnvironmentVariable (in: Environment=0x0, Name="PATH", Value="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" | out: Environment=0x0) returned 0x0 [0153.901] NtCreateKey (in: KeyHandle=0x1be5bc, DesiredAccess=0x20219, ObjectAttributes=0x1be434*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Thunderbird\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be5bc*=0x0) returned 0xc0000022 [0153.901] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0x1be16c | out: Value="C:\\Program Files (x86)") returned 0x0 [0153.901] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtPathName=0x1be144, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.901] NtCreateFile (in: FileHandle=0x1be170, DesiredAccess=0x120089, ObjectAttributes=0x1be12c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be14c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be170*=0xf4, IoStatusBlock=0x1be14c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.902] NtQueryInformationFile (in: FileHandle=0xf4, IoStatusBlock=0x1be14c, FileInformation=0x1be0a4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1be14c, FileInformation=0x1be0a4) returned 0x0 [0153.902] NtClose (Handle=0xf4) returned 0x0 [0153.902] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="LOCALAPPDATA", Value=0x1be224 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 0x0 [0153.902] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", NtPathName=0x1be1fc, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.902] NtCreateFile (in: FileHandle=0x1be228, DesiredAccess=0x120089, ObjectAttributes=0x1be1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be204, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be228*=0xf4, IoStatusBlock=0x1be204*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.909] NtQueryInformationFile (in: FileHandle=0xf4, IoStatusBlock=0x1be204, FileInformation=0x1be15c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1be204, FileInformation=0x1be15c) returned 0x0 [0153.909] NtClose (Handle=0xf4) returned 0x0 [0153.909] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="winsqlite3.dll", BaseAddress=0x1be1b4 | out: BaseAddress=0x1be1b4*=0x0) returned 0xc0000135 [0153.912] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x1be174 | out: Value="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0153.912] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", NtPathName=0x1be15c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.912] NtCreateFile (in: FileHandle=0x1be188, DesiredAccess=0x120089, ObjectAttributes=0x1be144*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\opera software\\opera stable\\login data"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be164, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be188*=0x0, IoStatusBlock=0x1be164*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0153.912] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="vaultcli.dll", BaseAddress=0x1be39c | out: BaseAddress=0x1be39c*=0x74fa0000) returned 0x0 [0153.925] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrv.ini", NtPathName=0x1be270, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrv.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0153.925] NtCreateFile (in: FileHandle=0x1be29c, DesiredAccess=0x120089, ObjectAttributes=0x1be258*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logrv.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8q-59uav\\8q-logrv.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be278, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be29c*=0xf8, IoStatusBlock=0x1be278*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0153.926] NtQueryInformationFile (in: FileHandle=0xf8, IoStatusBlock=0x1be278, FileInformation=0x1be1d0, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1be278, FileInformation=0x1be1d0) returned 0x0 [0153.926] NtClose (Handle=0xf8) returned 0x0 [0153.926] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="gdiplus.dll", BaseAddress=0x1be264 | out: BaseAddress=0x1be264*=0x74cc0000) returned 0x0 [0153.978] GetDC (hWnd=0x0) returned 0x1401007f [0153.978] CreateCompatibleDC (hdc=0x1401007f) returned 0xd0107e9 [0153.978] GetSystemMetrics (nIndex=0) returned 1440 [0153.982] GetSystemMetrics (nIndex=1) returned 900 [0153.982] CreateCompatibleBitmap (hdc=0x1401007f, cx=1440, cy=900) returned 0x100507d8 [0153.983] SelectObject (hdc=0xd0107e9, h=0x100507d8) returned 0x185000f [0153.983] BitBlt (hdc=0xd0107e9, x=0, y=0, cx=1440, cy=900, hdcSrc=0x1401007f, x1=0, y1=0, rop=0xcc0020) returned 1 [0153.985] GdiplusStartup (in: token=0x1be61c, input=0x1be5e4, output=0x0 | out: token=0x1be61c, output=0x0) returned 0x0 [0154.084] GdipCreateBitmapFromHBITMAP (hbm=0x100507d8, hpal=0x0, bitmap=0x1be618) returned 0x0 [0154.105] GdipGetImageEncodersSize (numEncoders=0x1be270, size=0x1be26c) returned 0x0 [0154.105] GdipGetImageEncoders (in: numEncoders=0x5, size=0x410, encoders=0x4abb78 | out: encoders=0x4abb78) returned 0x0 [0154.106] GdipSaveImageToFile (image=0x2962230, filename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8Q-59UAV\\8Q-logim.jpeg", clsidEncoder=0x1be5d4*(Data1=0x557cf401, Data2=0x1a04, Data3=0x11d3, Data4=([0]=0x9a, [1]=0x73, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x1e, [6]=0xf3, [7]=0x2e)), encoderParams=0x0) returned 0x0 [0154.321] GdiplusShutdown (token=0xbcf7) [0154.425] DeleteObject (ho=0x100507d8) returned 1 [0154.425] DeleteObject (ho=0xd0107e9) returned 1 [0154.425] ReleaseDC (hWnd=0x0, hDC=0x1401007f) returned 1 [0154.428] NtOpenProcess (in: ProcessHandle=0x1be9d8, DesiredAccess=0x438, ObjectAttributes=0x1be9a0*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x1be9b8*(UniqueProcess=0x34c, UniqueThread=0x0) | out: ProcessHandle=0x1be9d8*=0x10c) returned 0x0 [0154.428] NtQueryInformationProcess (in: ProcessHandle=0x10c, ProcessInformationClass=0x1a, ProcessInformation=0x1be9c8, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x1be9c8, ReturnLength=0x0) returned 0x0 [0154.428] NtMapViewOfSection (in: SectionHandle=0xe8, ProcessHandle=0x10c, BaseAddress=0x1be9c4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1be9c0*=0x4e2000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x1be9c4*=0x95c0000, SectionOffset=0x0, ViewSize=0x1be9c0*=0x4e2000) returned 0x0 [0154.429] NtClose (Handle=0x10c) returned 0x0 [0154.431] NtDelayExecution (Alertable=0, Interval=0x1be618*=-50000000) returned 0x0 [0159.433] NtOpenProcess (in: ProcessHandle=0x1be5e8, DesiredAccess=0x438, ObjectAttributes=0x1bdba8*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x1bdbe8*(UniqueProcess=0x34c, UniqueThread=0x0) | out: ProcessHandle=0x1be5e8*=0x10c) returned 0x0 [0159.436] NtQueryInformationProcess (in: ProcessHandle=0x10c, ProcessInformationClass=0x0, ProcessInformation=0x1bdbf8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x1bdbf8, ReturnLength=0x0) returned 0x0 [0159.439] NtReadVirtualMemory (in: ProcessHandle=0x10c, BaseAddress=0x7fffffd4000, Buffer=0x1be060, NumberOfBytesToRead=0x40, NumberOfBytesRead=0x0 | out: Buffer=0x1be060*, NumberOfBytesRead=0x0) returned 0x0 [0159.442] NtOpenThread (in: ThreadHandle=0x1bdba0, DesiredAccess=0x1a, ObjectAttributes=0x1bdba8, ClientId=0x1bdbd8*(UniqueProcess=0x0, UniqueThread=0x358) | out: ThreadHandle=0x1bdba0*=0x110) returned 0x0 [0159.445] NtSuspendThread (in: ThreadHandle=0x110, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0159.451] NtGetContextThread (in: ThreadHandle=0x110, Context=0x1be0e0 | out: Context=0x1be0e0*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x35, [75]=0xad, [76]=0x19, [77]=0x77, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x2b9e000, SegEs=0x0, SegDs=0x20f528, Edi=0x0, Esi=0x100f0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0xc0033, Esp=0x405, SegSs=0xc0000034, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x38, [5]=0xe5, [6]=0x20, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x4, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x3a, [45]=0x93, [46]=0x1c, [47]=0x77, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0159.457] NtCreateSection (in: SectionHandle=0x1bdb80, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x1bdb20, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1bdb80*=0x114) returned 0x0 [0159.460] NtMapViewOfSection (in: SectionHandle=0x114, ProcessHandle=0x10c, BaseAddress=0x1bdb88*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1bdb28*=0x74afa, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1bdb88*=0x8220000, SectionOffset=0x0, ViewSize=0x1bdb28*=0x75000) returned 0x0 [0159.461] NtMapViewOfSection (in: SectionHandle=0x114, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1bdb78*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1bdb28*=0x75000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1bdb78*=0x580000, SectionOffset=0x0, ViewSize=0x1bdb28*=0x75000) returned 0x0 [0159.467] NtUnmapViewOfSection (ProcessHandle=0xffffffffffffffff, BaseAddress=0x580000) returned 0x0 [0159.470] NtClose (Handle=0x114) returned 0x0 [0159.475] NtSetContextThread (ThreadHandle=0x110, Context=0x1be0e0*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x35, [75]=0xad, [76]=0x19, [77]=0x77, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x2b9e000, SegEs=0x0, SegDs=0x20f528, Edi=0x0, Esi=0x100f0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0xc0033, Esp=0x405, SegSs=0xc0000034, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x38, [5]=0xe5, [6]=0x20, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x4, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x89, [45]=0x9e, [46]=0x23, [47]=0x8, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0159.475] NtQueueApcThread (ThreadHandle=0x110, ApcRoutine=0x8239e96, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0159.479] NtResumeThread (in: ThreadHandle=0x110, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0159.479] NtClose (Handle=0x10c) returned 0x0 [0159.479] NtClose (Handle=0x110) returned 0x0 [0159.485] PostThreadMessageW (idThread=0x34c, Msg=0x111, wParam=0x0, lParam=0x0) returned 0 [0159.708] PostThreadMessageW (idThread=0x34c, Msg=0x8003, wParam=0x1be640, lParam=0x0) returned 0 [0159.715] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0159.715] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0164.719] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0x1be498 | out: Value="C:\\Program Files (x86)") returned 0x0 [0164.719] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtPathName=0x1be470, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.719] NtCreateFile (in: FileHandle=0x1be49c, DesiredAccess=0x120089, ObjectAttributes=0x1be458*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be478, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be49c*=0x110, IoStatusBlock=0x1be478*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0164.720] NtQueryInformationFile (in: FileHandle=0x110, IoStatusBlock=0x1be478, FileInformation=0x1be3d0, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1be478, FileInformation=0x1be3d0) returned 0x0 [0164.720] NtClose (Handle=0x110) returned 0x0 [0164.728] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtPathName=0x1be46c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.728] NtCreateFile (in: FileHandle=0x1be498, DesiredAccess=0x120089, ObjectAttributes=0x1be454*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1be474, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1be498*=0x110, IoStatusBlock=0x1be474*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0164.728] NtQueryInformationFile (in: FileHandle=0x110, IoStatusBlock=0x1be474, FileInformation=0x1be3cc, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1be474, FileInformation=0x1be3cc) returned 0x0 [0164.730] NtReadFile (in: FileHandle=0x110, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x1be474, Buffer=0x4af970, BufferLength=0x43470, ByteOffset=0x1be3e4*=0, Key=0x0 | out: IoStatusBlock=0x1be474, Buffer=0x4af970*) returned 0x0 [0164.732] NtClose (Handle=0x110) returned 0x0 [0164.736] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0xc, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x1be738*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1be710, hNewToken=0x0 | out: lpProcessInformation=0x1be710*(hProcess=0x10c, hThread=0x110, dwProcessId=0x6dc, dwThreadId=0x6f8), hNewToken=0x0) returned 1 [0164.812] NtQueryInformationProcess (in: ProcessHandle=0x10c, ProcessInformationClass=0x1a, ProcessInformation=0x1be79c, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x1be79c, ReturnLength=0x0) returned 0x0 [0164.812] NtQueryInformationProcess (in: ProcessHandle=0x10c, ProcessInformationClass=0x0, ProcessInformation=0x1be468, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x1be468, ReturnLength=0x0) returned 0x0 [0164.816] NtReadVirtualMemory (in: ProcessHandle=0x10c, BaseAddress=0xfffde000, Buffer=0x1be4b0, NumberOfBytesToRead=0x20, NumberOfBytesRead=0x0 | out: Buffer=0x1be4b0*, NumberOfBytesRead=0x0) returned 0x0 [0164.816] NtMapViewOfSection (in: SectionHandle=0xe8, ProcessHandle=0x10c, BaseAddress=0x1be488*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1be484*=0x4e2000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x1be488*=0x3e0000, SectionOffset=0x0, ViewSize=0x1be484*=0x4e2000) returned 0x0 [0164.826] NtCreateSection (in: SectionHandle=0x1be47c, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x1be43c, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1be47c*=0x11c) returned 0x0 [0164.826] NtMapViewOfSection (in: SectionHandle=0x11c, ProcessHandle=0xffffffff, BaseAddress=0x1be484*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1be43c*=0x80840, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1be484*=0x580000, SectionOffset=0x0, ViewSize=0x1be43c*=0x81000) returned 0x0 [0164.826] NtMapViewOfSection (in: SectionHandle=0x11c, ProcessHandle=0x10c, BaseAddress=0x1be480*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1be478*=0x80840, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1be480*=0x70000, SectionOffset=0x0, ViewSize=0x1be478*=0x81000) returned 0x0 [0164.832] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x580000) returned 0x0 [0164.834] NtClose (Handle=0x11c) returned 0x0 [0164.834] NtReadVirtualMemory (in: ProcessHandle=0x10c, BaseAddress=0x1190000, Buffer=0x4f31e8, NumberOfBytesToRead=0x44000, NumberOfBytesRead=0x0 | out: Buffer=0x4f31e8*, NumberOfBytesRead=0x0) returned 0x0 [0164.839] NtCreateSection (in: SectionHandle=0x1be4fc, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x1be470, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1be4fc*=0x11c) returned 0x0 [0164.839] NtMapViewOfSection (in: SectionHandle=0x11c, ProcessHandle=0xffffffff, BaseAddress=0x1be500*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1be470*=0x44000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1be500*=0x580000, SectionOffset=0x0, ViewSize=0x1be470*=0x44000) returned 0x0 [0164.844] NtUnmapViewOfSection (ProcessHandle=0x10c, BaseAddress=0x1190000) returned 0x0 [0164.846] NtMapViewOfSection (in: SectionHandle=0x11c, ProcessHandle=0x10c, BaseAddress=0x1be504*=0x1190000, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1be730*=0x44000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1be504*=0x1190000, SectionOffset=0x0, ViewSize=0x1be730*=0x44000) returned 0x0 [0164.846] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x580000) returned 0x0 [0164.851] NtResumeThread (in: ThreadHandle=0x110, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0164.851] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0164.851] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0164.851] NtClose (Handle=0x114) returned 0x0 [0164.851] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0164.852] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0164.872] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0164.872] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0169.896] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0169.896] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0169.896] NtClose (Handle=0x114) returned 0x0 [0169.896] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0169.896] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0169.915] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0169.915] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0174.919] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0174.919] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0174.919] NtClose (Handle=0x114) returned 0x0 [0174.919] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0174.919] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0174.944] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0174.945] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0180.004] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0180.004] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0180.004] NtClose (Handle=0x114) returned 0x0 [0180.004] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0180.004] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0180.027] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0180.028] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0185.027] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0185.027] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0185.027] NtClose (Handle=0xb8) returned 0x0 [0185.027] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0185.028] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0185.057] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0185.057] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0190.053] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0190.053] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0190.053] NtClose (Handle=0xb8) returned 0x0 [0190.053] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0190.054] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0190.079] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0190.079] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0195.074] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0195.074] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0195.074] NtClose (Handle=0xb8) returned 0x0 [0195.074] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0195.074] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0195.095] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0195.096] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0200.097] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0200.097] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0200.097] NtClose (Handle=0xb8) returned 0x0 [0200.097] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0200.097] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0200.114] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0200.115] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0205.120] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0205.120] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0205.120] NtClose (Handle=0xb8) returned 0x0 [0205.120] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0205.120] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0205.143] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0205.143] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0210.143] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0210.143] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0210.143] NtClose (Handle=0xb8) returned 0x0 [0210.143] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0210.143] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0210.161] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0210.161] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0215.166] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0215.167] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0215.167] NtClose (Handle=0xb8) returned 0x0 [0215.167] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0215.167] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0215.185] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0215.185] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0220.190] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0220.190] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0220.190] NtClose (Handle=0xb8) returned 0x0 [0220.190] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0220.190] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0220.208] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0220.208] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0225.213] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0225.213] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0225.213] NtClose (Handle=0xb8) returned 0x0 [0225.213] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0225.213] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0225.230] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0225.230] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0230.236] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0230.236] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0230.236] NtClose (Handle=0xb8) returned 0x0 [0230.236] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0230.237] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0230.257] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0230.257] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0235.259] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0235.259] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0235.259] NtClose (Handle=0xb8) returned 0x0 [0235.259] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0235.260] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0235.278] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0235.278] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0240.282] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0240.282] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0240.282] NtClose (Handle=0xb8) returned 0x0 [0240.282] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0240.283] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0240.304] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0240.305] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0245.337] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0245.337] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0245.337] NtClose (Handle=0xb8) returned 0x0 [0245.337] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0245.337] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0245.354] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0245.355] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0250.360] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0xb8) returned 0x0 [0250.360] NtEnumerateValueKey (in: KeyHandle=0xb8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0250.360] NtClose (Handle=0xb8) returned 0x0 [0250.360] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0250.360] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0250.378] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0250.378] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0255.383] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0255.383] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0255.383] NtClose (Handle=0x114) returned 0x0 [0255.383] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0255.383] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0255.424] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0255.424] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0261.046] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0261.046] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0261.046] NtClose (Handle=0x114) returned 0x0 [0261.046] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0261.046] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0261.067] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0261.067] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0266.069] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0266.069] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0266.069] NtClose (Handle=0x114) returned 0x0 [0266.069] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0266.070] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0266.099] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0266.100] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0271.092] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0271.092] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0271.092] NtClose (Handle=0x114) returned 0x0 [0271.093] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0271.093] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0271.120] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0271.121] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0276.116] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0276.116] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0276.116] NtClose (Handle=0x114) returned 0x0 [0276.116] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0276.116] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0276.140] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0276.140] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0281.139] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0281.139] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0281.139] NtClose (Handle=0x114) returned 0x0 [0281.139] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0281.139] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0281.165] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0281.165] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0286.162] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0286.162] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0286.162] NtClose (Handle=0x114) returned 0x0 [0286.162] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0286.163] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0286.188] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0286.189] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0291.185] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0291.185] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0291.185] NtClose (Handle=0x114) returned 0x0 [0291.185] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0291.186] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0291.211] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0291.211] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0296.208] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0296.208] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0296.208] NtClose (Handle=0x114) returned 0x0 [0296.208] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0296.209] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0296.228] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0296.228] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0301.232] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0301.232] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0301.232] NtClose (Handle=0x114) returned 0x0 [0301.232] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0301.232] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0301.253] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0301.254] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0306.255] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0306.255] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0306.255] NtClose (Handle=0x114) returned 0x0 [0306.255] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0306.255] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0306.275] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0306.276] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0311.278] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0311.278] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0311.278] NtClose (Handle=0x114) returned 0x0 [0311.278] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0311.278] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0311.298] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0311.298] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0316.301] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0316.301] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0316.301] NtClose (Handle=0x114) returned 0x0 [0316.301] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0316.302] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0316.322] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) returned 0x0 [0316.322] NtDelayExecution (Alertable=0, Interval=0x1be9d8*=-50000000) returned 0x0 [0321.324] NtCreateKey (in: KeyHandle=0x1be9d8, DesiredAccess=0x20219, ObjectAttributes=0x1be354*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3388679973-3930757225-3770151564-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x1be9d8*=0x114) returned 0x0 [0321.324] NtEnumerateValueKey (in: KeyHandle=0x114, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x1be5a8, Length=0x200, ResultLength=0x1be9a8 | out: KeyValueInformation=0x1be5a8, ResultLength=0x1be9a8) returned 0x0 [0321.324] NtClose (Handle=0x114) returned 0x0 [0321.325] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1be9c8*=0x0, ZeroBits=0x0, RegionSize=0x1be9cc*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x1be9c8*=0xd0000, RegionSize=0x1be9cc*=0x10000) returned 0x0 [0321.325] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xd0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xd0000, ResultLength=0x0) returned 0x0 [0321.345] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1bf004*=0xd0000, RegionSize=0x1bf008, FreeType=0x8000) Thread: id = 95 os_tid = 0x6d0 Thread: id = 96 os_tid = 0x6e4 Thread: id = 98 os_tid = 0x46c Thread: id = 99 os_tid = 0x63c Thread: id = 100 os_tid = 0x5c8 Process: id = "14" image_name = "firefox.exe" filename = "c:\\program files (x86)\\mozilla firefox\\firefox.exe" page_root = "0x7200a000" os_pid = "0x6dc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x634" cmd_line = "\"C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e25d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1807 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1808 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1809 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1810 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1811 start_va = 0x60000 end_va = 0x62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1812 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1813 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1814 start_va = 0x3e0000 end_va = 0x8c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1815 start_va = 0x1190000 end_va = 0x11d3fff entry_point = 0x1190000 region_type = mapped_file name = "firefox.exe" filename = "\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe") Region: id = 1816 start_va = 0x772b0000 end_va = 0x77458fff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1817 start_va = 0x77490000 end_va = 0x7760ffff entry_point = 0x77490000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1818 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1819 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1820 start_va = 0xfffb0000 end_va = 0xfffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000fffb0000" filename = "" Region: id = 1821 start_va = 0xfffdb000 end_va = 0xfffddfff entry_point = 0x0 region_type = private name = "private_0x00000000fffdb000" filename = "" Region: id = 1822 start_va = 0xfffde000 end_va = 0xfffdefff entry_point = 0x0 region_type = private name = "private_0x00000000fffde000" filename = "" Region: id = 1823 start_va = 0xfffdf000 end_va = 0xfffdffff entry_point = 0x0 region_type = private name = "private_0x00000000fffdf000" filename = "" Region: id = 1824 start_va = 0xfffe0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x00000000fffe0000" filename = "" Region: id = 1826 start_va = 0x70000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1828 start_va = 0x1190000 end_va = 0x11d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 1830 start_va = 0x950000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 1831 start_va = 0x73a00000 end_va = 0x73a07fff entry_point = 0x73a020f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1832 start_va = 0x73a10000 end_va = 0x73a6bfff entry_point = 0x73a4f798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1833 start_va = 0x73a70000 end_va = 0x73aaefff entry_point = 0x73a9de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1834 start_va = 0x180000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1835 start_va = 0x76720000 end_va = 0x7682ffff entry_point = 0x767332d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1836 start_va = 0x76e10000 end_va = 0x76e55fff entry_point = 0x76e17478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1837 start_va = 0x77090000 end_va = 0x771aefff entry_point = 0x0 region_type = private name = "private_0x0000000077090000" filename = "" Region: id = 1838 start_va = 0x771b0000 end_va = 0x772a9fff entry_point = 0x0 region_type = private name = "private_0x00000000771b0000" filename = "" Region: id = 1839 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1840 start_va = 0x100000 end_va = 0x166fff entry_point = 0x100000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1841 start_va = 0x74b00000 end_va = 0x74bbdfff entry_point = 0x74b00000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\msvcr100.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcr100.dll") Region: id = 1842 start_va = 0x74fe0000 end_va = 0x74febfff entry_point = 0x74fe10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1843 start_va = 0x74ff0000 end_va = 0x7504ffff entry_point = 0x7500a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1844 start_va = 0x76260000 end_va = 0x762fffff entry_point = 0x762749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1845 start_va = 0x76300000 end_va = 0x7638ffff entry_point = 0x76316343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1846 start_va = 0x768f0000 end_va = 0x769dffff entry_point = 0x76900569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1847 start_va = 0x76ca0000 end_va = 0x76d4bfff entry_point = 0x76caa472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1848 start_va = 0x76d50000 end_va = 0x76d59fff entry_point = 0x76d536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1849 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76da3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1850 start_va = 0x76e70000 end_va = 0x76e88fff entry_point = 0x76e74975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1851 start_va = 0x76f90000 end_va = 0x7708ffff entry_point = 0x76fab6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1852 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1853 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1854 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1855 start_va = 0x9d0000 end_va = 0xb57fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 1856 start_va = 0x76160000 end_va = 0x7622bfff entry_point = 0x7616168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1857 start_va = 0x764d0000 end_va = 0x7652ffff entry_point = 0x764e158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1858 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1859 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1860 start_va = 0xb60000 end_va = 0xce0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 1861 start_va = 0xe50000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 1862 start_va = 0xe60000 end_va = 0xfdffff entry_point = 0xe60000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1863 start_va = 0x11e0000 end_va = 0x25dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011e0000" filename = "" Region: id = 1864 start_va = 0x768c0000 end_va = 0x768c5fff entry_point = 0x768c1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1865 start_va = 0x76c60000 end_va = 0x76c94fff entry_point = 0x76c6145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1866 start_va = 0x74860000 end_va = 0x748c8fff entry_point = 0x74860000 region_type = mapped_file name = "msvcp100.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\msvcp100.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcp100.dll") Region: id = 1867 start_va = 0x748d0000 end_va = 0x748f1fff entry_point = 0x748d0000 region_type = mapped_file name = "mozglue.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\mozglue.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozglue.dll") Region: id = 1868 start_va = 0x74900000 end_va = 0x74931fff entry_point = 0x749037f1 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 1869 start_va = 0x74940000 end_va = 0x74af4fff entry_point = 0x74aa2823 region_type = mapped_file name = "nss3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\nss3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nss3.dll") Region: id = 1870 start_va = 0x74f90000 end_va = 0x74f96fff entry_point = 0x74f91120 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 1871 start_va = 0xcf0000 end_va = 0xdeffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1872 start_va = 0x769e0000 end_va = 0x76afcfff entry_point = 0x769e0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1873 start_va = 0x76e60000 end_va = 0x76e6bfff entry_point = 0x76e60000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Thread: id = 97 os_tid = 0x6f8 [0164.952] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x3df93c | out: HeapArray=0x3df93c*=0x180000) returned 0x3 [0164.958] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\ntdll.dll", NtPathName=0x3df64c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0164.960] NtCreateFile (in: FileHandle=0x3df678, DesiredAccess=0x1200a0, ObjectAttributes=0x3df634*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x3df654, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x3df678*=0x58, IoStatusBlock=0x3df654*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0164.969] NtCreateSection (in: SectionHandle=0x3df5d4, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x58 | out: SectionHandle=0x3df5d4*=0x5c) returned 0x0 [0164.971] NtMapViewOfSection (in: SectionHandle=0x5c, ProcessHandle=0xffffffff, BaseAddress=0x3df5d0*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x3df5cc*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x3df5d0*=0xe60000, SectionOffset=0x0, ViewSize=0x3df5cc*=0x180000) returned 0x40000003 [0164.972] NtClose (Handle=0x58) returned 0x0 [0164.973] NtClose (Handle=0x5c) returned 0x0 [0164.975] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3df680*=0xe60000, NumberOfBytesToProtect=0x3df690, NewAccessProtection=0x40, OldAccessProtection=0x3df67c | out: BaseAddress=0x3df680*=0xe60000, NumberOfBytesToProtect=0x3df690, OldAccessProtection=0x3df67c*=0x2) returned 0x0 [0164.975] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3df674*=0xe70000, NumberOfBytesToProtect=0x3df678, NewAccessProtection=0x40, OldAccessProtection=0x3df67c | out: BaseAddress=0x3df674*=0xe70000, NumberOfBytesToProtect=0x3df678, OldAccessProtection=0x3df67c*=0x20) returned 0x0 [0164.976] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3df674*=0xf50000, NumberOfBytesToProtect=0x3df678, NewAccessProtection=0x40, OldAccessProtection=0x3df67c | out: BaseAddress=0x3df674*=0xf50000, NumberOfBytesToProtect=0x3df678, OldAccessProtection=0x3df67c*=0x20) returned 0x0 [0164.976] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3df674*=0xf60000, NumberOfBytesToProtect=0x3df678, NewAccessProtection=0x40, OldAccessProtection=0x3df67c | out: BaseAddress=0x3df674*=0xf60000, NumberOfBytesToProtect=0x3df678, OldAccessProtection=0x3df67c*=0x8) returned 0x0 [0164.976] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3df674*=0xf70000, NumberOfBytesToProtect=0x3df678, NewAccessProtection=0x40, OldAccessProtection=0x3df67c | out: BaseAddress=0x3df674*=0xf70000, NumberOfBytesToProtect=0x3df678, OldAccessProtection=0x3df67c*=0x2) returned 0x0 [0164.977] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x3df674*=0xfd0000, NumberOfBytesToProtect=0x3df678, NewAccessProtection=0x40, OldAccessProtection=0x3df67c | out: BaseAddress=0x3df674*=0xfd0000, NumberOfBytesToProtect=0x3df678, OldAccessProtection=0x3df67c*=0x2) returned 0x0 Process: id = "15" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xe396000" os_pid = "0x2c4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "11" os_parent_pid = "0x34c" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a6fb" [0xc000000f], "LOCAL" [0x7] Region: id = 1913 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1914 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1915 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1916 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1917 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1918 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1919 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1920 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1921 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1922 start_va = 0x170000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1923 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1924 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1925 start_va = 0x390000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 1926 start_va = 0x3d0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 1927 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1928 start_va = 0x400000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1929 start_va = 0x590000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1930 start_va = 0x720000 end_va = 0x7dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 1931 start_va = 0x7e0000 end_va = 0xbd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1932 start_va = 0xbe0000 end_va = 0xbfffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 1933 start_va = 0xc00000 end_va = 0xc00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 1934 start_va = 0xc10000 end_va = 0xc10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c10000" filename = "" Region: id = 1935 start_va = 0xc20000 end_va = 0xc20fff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1936 start_va = 0xc30000 end_va = 0xc30fff entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 1937 start_va = 0xc40000 end_va = 0xcbffff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 1938 start_va = 0xcc0000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 1939 start_va = 0xdc0000 end_va = 0xdc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 1940 start_va = 0xdd0000 end_va = 0xdd1fff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 1941 start_va = 0xde0000 end_va = 0xde2fff entry_point = 0xde0000 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 1942 start_va = 0xdf0000 end_va = 0xdf1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 1943 start_va = 0xe00000 end_va = 0xe00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 1944 start_va = 0xe10000 end_va = 0xe10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1945 start_va = 0xe30000 end_va = 0xeaffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 1946 start_va = 0xec0000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 1947 start_va = 0xf50000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 1948 start_va = 0xfd0000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 1949 start_va = 0x10e0000 end_va = 0x13aefff entry_point = 0x10e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1950 start_va = 0x1430000 end_va = 0x1491fff entry_point = 0x1430000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1951 start_va = 0x14b0000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 1952 start_va = 0x1530000 end_va = 0x1537fff entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 1953 start_va = 0x1540000 end_va = 0x15bffff entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 1954 start_va = 0x1600000 end_va = 0x167ffff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 1955 start_va = 0x1680000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 1956 start_va = 0x1720000 end_va = 0x179ffff entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 1957 start_va = 0x17d0000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x00000000017d0000" filename = "" Region: id = 1958 start_va = 0x1850000 end_va = 0x18cffff entry_point = 0x0 region_type = private name = "private_0x0000000001850000" filename = "" Region: id = 1959 start_va = 0x18d0000 end_va = 0x194ffff entry_point = 0x0 region_type = private name = "private_0x00000000018d0000" filename = "" Region: id = 1960 start_va = 0x1970000 end_va = 0x19effff entry_point = 0x0 region_type = private name = "private_0x0000000001970000" filename = "" Region: id = 1961 start_va = 0x1a00000 end_va = 0x1a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 1962 start_va = 0x1ad0000 end_va = 0x1b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ad0000" filename = "" Region: id = 1963 start_va = 0x1b50000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b50000" filename = "" Region: id = 1964 start_va = 0x1dd0000 end_va = 0x1e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 1965 start_va = 0x1e70000 end_va = 0x1eeffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 1966 start_va = 0x1f00000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1967 start_va = 0x1f90000 end_va = 0x200ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 1968 start_va = 0x2050000 end_va = 0x20cffff entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 1969 start_va = 0x2150000 end_va = 0x254ffff entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 1970 start_va = 0x2550000 end_va = 0x2952fff entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 1971 start_va = 0x29b0000 end_va = 0x2a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 1972 start_va = 0x2a60000 end_va = 0x2adffff entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 1973 start_va = 0x2bc0000 end_va = 0x2c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 1974 start_va = 0x2c40000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 1975 start_va = 0x74e50000 end_va = 0x74e52fff entry_point = 0x74e50000 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 1976 start_va = 0x77090000 end_va = 0x771aefff entry_point = 0x770a5ea0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1977 start_va = 0x771b0000 end_va = 0x772a9fff entry_point = 0x771ca2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1978 start_va = 0x772b0000 end_va = 0x77458fff entry_point = 0x772b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1979 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1980 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1981 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1982 start_va = 0xff190000 end_va = 0xff1e2fff entry_point = 0xff190000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 1983 start_va = 0xff5f0000 end_va = 0xff5fafff entry_point = 0xff5f0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1984 start_va = 0xffd30000 end_va = 0xffd91fff entry_point = 0xffd408d8 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1985 start_va = 0x7fef35f0000 end_va = 0x7fef369dfff entry_point = 0x7fef35f0000 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 1986 start_va = 0x7fef3b60000 end_va = 0x7fef3c84fff entry_point = 0x7fef3b60000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1987 start_va = 0x7fef57e0000 end_va = 0x7fef57f3fff entry_point = 0x7fef57e0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1988 start_va = 0x7fef5b60000 end_va = 0x7fef5b86fff entry_point = 0x7fef5b60000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1989 start_va = 0x7fef5b90000 end_va = 0x7fef5c71fff entry_point = 0x7fef5b90000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1990 start_va = 0x7fef75b0000 end_va = 0x7fef75cafff entry_point = 0x7fef75b0000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1991 start_va = 0x7fef7870000 end_va = 0x7fef78f5fff entry_point = 0x7fef7870000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1992 start_va = 0x7fef7c10000 end_va = 0x7fef7c5efff entry_point = 0x7fef7c12764 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 1993 start_va = 0x7fef7e90000 end_va = 0x7fef7eabfff entry_point = 0x7fef7e90000 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 1994 start_va = 0x7fef8bc0000 end_va = 0x7fef8bd7fff entry_point = 0x7fef8bc1bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1995 start_va = 0x7fef8be0000 end_va = 0x7fef8bf0fff entry_point = 0x7fef8be16ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1996 start_va = 0x7fef8ca0000 end_va = 0x7fef8cdafff entry_point = 0x7fef8ca0000 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 1997 start_va = 0x7fef8ce0000 end_va = 0x7fef8d30fff entry_point = 0x7fef8ce0000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 1998 start_va = 0x7fef8d50000 end_va = 0x7fef8d57fff entry_point = 0x7fef8d50000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 1999 start_va = 0x7fef8d60000 end_va = 0x7fef8d69fff entry_point = 0x7fef8d60000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 2000 start_va = 0x7fefab00000 end_va = 0x7fefab0efff entry_point = 0x7fefab00000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2001 start_va = 0x7fefaba0000 end_va = 0x7fefabaafff entry_point = 0x7fefaba1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2002 start_va = 0x7fefabb0000 end_va = 0x7fefabd6fff entry_point = 0x7fefabb98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2003 start_va = 0x7fefb670000 end_va = 0x7fefb678fff entry_point = 0x7fefb671010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2004 start_va = 0x7fefb680000 end_va = 0x7fefb6cafff entry_point = 0x7fefb68efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2005 start_va = 0x7fefb6d0000 end_va = 0x7fefb6fbfff entry_point = 0x7fefb6d15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2006 start_va = 0x7fefb700000 end_va = 0x7fefb7abfff entry_point = 0x7fefb700000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 2007 start_va = 0x7fefb7b0000 end_va = 0x7fefb7dcfff entry_point = 0x7fefb7b1010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2008 start_va = 0x7fefbbb0000 end_va = 0x7fefbcdbfff entry_point = 0x7fefbbb94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2009 start_va = 0x7fefc220000 end_va = 0x7fefc3b5fff entry_point = 0x7fefc220000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 2010 start_va = 0x7fefc3c0000 end_va = 0x7fefc3cbfff entry_point = 0x7fefc3c1064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2011 start_va = 0x7fefc3d0000 end_va = 0x7fefc48afff entry_point = 0x7fefc3d0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2012 start_va = 0x7fefc490000 end_va = 0x7fefc496fff entry_point = 0x7fefc490000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2013 start_va = 0x7fefc580000 end_va = 0x7fefc59afff entry_point = 0x7fefc580000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2014 start_va = 0x7fefc6f0000 end_va = 0x7fefc6f9fff entry_point = 0x7fefc6f3cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2015 start_va = 0x7fefc7f0000 end_va = 0x7fefc836fff entry_point = 0x7fefc7f1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2016 start_va = 0x7fefc910000 end_va = 0x7fefc96afff entry_point = 0x7fefc910000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2017 start_va = 0x7fefca80000 end_va = 0x7fefca86fff entry_point = 0x7fefca80000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 2018 start_va = 0x7fefca90000 end_va = 0x7fefcae4fff entry_point = 0x7fefca90000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2019 start_va = 0x7fefcaf0000 end_va = 0x7fefcb06fff entry_point = 0x7fefcaf32b8 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2020 start_va = 0x7fefcd20000 end_va = 0x7fefcd8cfff entry_point = 0x7fefcd21010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2021 start_va = 0x7fefd090000 end_va = 0x7fefd09afff entry_point = 0x7fefd091030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2022 start_va = 0x7fefd0c0000 end_va = 0x7fefd0e4fff entry_point = 0x7fefd0c9658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2023 start_va = 0x7fefd0f0000 end_va = 0x7fefd0fefff entry_point = 0x7fefd0f1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2024 start_va = 0x7fefd1a0000 end_va = 0x7fefd1dcfff entry_point = 0x7fefd1a18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2025 start_va = 0x7fefd1e0000 end_va = 0x7fefd1f3fff entry_point = 0x7fefd1e10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2026 start_va = 0x7fefd200000 end_va = 0x7fefd20efff entry_point = 0x7fefd2019b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2027 start_va = 0x7fefd2a0000 end_va = 0x7fefd2aefff entry_point = 0x7fefd2a1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2028 start_va = 0x7fefd2b0000 end_va = 0x7fefd2c9fff entry_point = 0x7fefd2b1558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2029 start_va = 0x7fefd2d0000 end_va = 0x7fefd436fff entry_point = 0x7fefd2d10c0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2030 start_va = 0x7fefd440000 end_va = 0x7fefd475fff entry_point = 0x7fefd441474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2031 start_va = 0x7fefd480000 end_va = 0x7fefd4b9fff entry_point = 0x7fefd481320 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2032 start_va = 0x7fefd560000 end_va = 0x7fefd5cafff entry_point = 0x7fefd5630e0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2033 start_va = 0x7fefd5d0000 end_va = 0x7fefd6fcfff entry_point = 0x7fefd61ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2034 start_va = 0x7fefd700000 end_va = 0x7fefd766fff entry_point = 0x7fefd70b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2035 start_va = 0x7fefd770000 end_va = 0x7fefd77dfff entry_point = 0x7fefd771080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2036 start_va = 0x7fefd780000 end_va = 0x7fefd856fff entry_point = 0x7fefd783274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2037 start_va = 0x7fefd860000 end_va = 0x7fefd8d0fff entry_point = 0x7fefd871e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2038 start_va = 0x7fefd8e0000 end_va = 0x7fefdae2fff entry_point = 0x7fefd903330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2039 start_va = 0x7fefdaf0000 end_va = 0x7fefdbb8fff entry_point = 0x7fefdb6a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2040 start_va = 0x7fefdbc0000 end_va = 0x7fefdc9afff entry_point = 0x7fefdbe0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2041 start_va = 0x7fefdf00000 end_va = 0x7fefdf9efff entry_point = 0x7fefdf025a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2042 start_va = 0x7fefdfa0000 end_va = 0x7fefe176fff entry_point = 0x7fefdfa1010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2043 start_va = 0x7fefe180000 end_va = 0x7fefe218fff entry_point = 0x7fefe181c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2044 start_va = 0x7fefe220000 end_va = 0x7fefe23efff entry_point = 0x7fefe2260e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2045 start_va = 0x7fefe3c0000 end_va = 0x7fefe4c8fff entry_point = 0x7fefe3c1064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2046 start_va = 0x7feff300000 end_va = 0x7feff32dfff entry_point = 0x7feff301010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2047 start_va = 0x7feff330000 end_va = 0x7feff337fff entry_point = 0x7feff331504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2048 start_va = 0x7feff470000 end_va = 0x7feff4bcfff entry_point = 0x7feff471070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2049 start_va = 0x7feff4c0000 end_va = 0x7feff511fff entry_point = 0x7feff4c10d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2050 start_va = 0x7feff5d0000 end_va = 0x7feff5d0fff entry_point = 0x7feff5d0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2051 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 2052 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 2053 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 2054 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 2055 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 2056 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 2057 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 2058 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 2059 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 2060 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 2061 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2062 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2063 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2064 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2065 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2066 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2067 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2068 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2069 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2070 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2071 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2072 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2073 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2074 start_va = 0xe20000 end_va = 0xe20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 2075 start_va = 0x7fefc5a0000 end_va = 0x7fefc5bdfff entry_point = 0x7fefc5a13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2076 start_va = 0x7fefaea0000 end_va = 0x7fefaeb4fff entry_point = 0x7fefaea1050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2077 start_va = 0x7fefaec0000 end_va = 0x7fefaecbfff entry_point = 0x7fefaec18a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Thread: id = 102 os_tid = 0x738 Thread: id = 103 os_tid = 0x324 Thread: id = 104 os_tid = 0x7ec Thread: id = 105 os_tid = 0x784 Thread: id = 106 os_tid = 0x660 Thread: id = 107 os_tid = 0x65c Thread: id = 108 os_tid = 0x654 Thread: id = 109 os_tid = 0x5e4 Thread: id = 110 os_tid = 0x454 Thread: id = 111 os_tid = 0x43c Thread: id = 112 os_tid = 0x430 Thread: id = 113 os_tid = 0x410 Thread: id = 114 os_tid = 0x3a4 Thread: id = 115 os_tid = 0x39c Thread: id = 116 os_tid = 0x38c Thread: id = 117 os_tid = 0x2f8 Thread: id = 118 os_tid = 0x2f4 Thread: id = 119 os_tid = 0x2e8 Thread: id = 120 os_tid = 0x2d0 Thread: id = 121 os_tid = 0x2c8 Thread: id = 122 os_tid = 0x578 Thread: id = 125 os_tid = 0x788